From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id VAA12196; Sat, 28 Feb 2004 21:20:26 +0100 (MET)
X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f
Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id VAA12357 for <caml-list@pauillac.inria.fr>; Sat, 28 Feb 2004 21:20:24 +0100 (MET)
Received: from aomori.annexia.org (annexia.force9.co.uk [212.56.101.183])
	by concorde.inria.fr (8.12.10/8.12.10) with ESMTP id i1SKKNae010282
	for <caml-list@inria.fr>; Sat, 28 Feb 2004 21:20:24 +0100
Received: from rich by aomori.annexia.org with local (Exim 3.36 #1 (Debian))
	id 1AxAwV-0000vw-00; Sat, 28 Feb 2004 20:20:11 +0000
Date: Sat, 28 Feb 2004 20:20:11 +0000
To: David MENTRE <dmentre@linux-france.org>
Cc: Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE>,
        caml-list@inria.fr
Subject: Re: [Caml-list] How to secure an OCaml server
Message-ID: <20040228202011.GA3551@redhat.com>
References: <87llmnme9b.fsf@linux-france.org> <vfioerj9msl.fsf@tuba.is.s.u-tokyo.ac.jp> <20040228165400.GA24495@redhat.com> <Pine.LNX.4.58.0402281805260.5837@seekar.cip.physik.uni-muenchen.de> <877jy7kn52.fsf@linux-france.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <877jy7kn52.fsf@linux-france.org>
User-Agent: Mutt/1.5.4i
From: Richard Jones <rich@annexia.org>
X-Miltered: at concorde by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")!
X-Loop: caml-list@inria.fr
X-Spam: no; 0.00; caml-list:01 2004:99 physik:01 hash:01 hash:01 degenerate:01 hashes:01 hashed:01 denial:99 ltd:98 ocaml:01 writes:01 mentre:01 wrote:03 elaborate:03 
Sender: owner-caml-list@pauillac.inria.fr
Precedence: bulk

On Sat, Feb 28, 2004 at 08:41:13PM +0100, David MENTRE wrote:
> Hello Thomas,
> 
> Thomas Fischbacher <Thomas.Fischbacher@Physik.Uni-Muenchen.DE> writes:
> 
> > Yes. Another interesting issue that frequently comes up in such situations 
> > is provoking hash collisions.
> 
> Could you elaborate more on this? I don't understand about which hash
> your are talking.

This is a new type of vulnerability discovered fairly recently.  With
much webserver software written in Perl it is (was) possible to upload
patterns of data which would cause degenerate cases in hashes.  That's
to say that the data would be chosen so that it all hashed into the
same bucket in the hash.  This would cause servers to perform O(n^2)
operations, slowing them down and effectively creating a denial of
service.

There is some more information here:

http://www.cs.rice.edu/~scrosby/hash/

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
http://www.YouUnlimited.co.uk/ - management courses

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners