New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DDoS hash collision attack as reported by Jesse Wilson #416
Conversation
Jesse brings out a good point, and his point might be more applicable to Groovy. In fact, once I stopped arguing with him I realized that Groovy impacted a lot more than Boon, and Groovy is widely used and Boon is not. Also I think this impacted the old Groovy JSON parser as well but I could be wrong. http://publicobject.com/2014/05/11/the-json-benchmarks-are-wrong/ I think Boon might is less vulnerable than Groovy, but I patched it today as well. http://rick-hightower.blogspot.com/2014/05/fud-gson-100x-faster-than-jac kson-and.html If you are using Boon and Pojos (which is the most common combination that I have seen for a public API), then this is not an issue with Boon. Also Boon and Groovy if using JDK 1.7 then there is a special JDK 1.7 flag that prevents this. Groovy unlike Boon before the patch might and likely still have this issue even for Pojos. Boon Pojo support uses the API that knows about the index overlay for Pojos so that is why this was not an issue with Boon. It seems Groovy is more vulnerable because it supports JDK 1.6 (Boon does not) and the Map to Groovy object routines would not know about the index overlay API, and would not know to avoid the map (which I do for performance). You can see an example here on how to access the underlying index overlay method. http://rick-hightower.blogspot.com/2014/05/fud-gson-100x-faster-than-jac kson-and.html Groovy is impacted in pretty much every public API that uses a map (rare) or a POJO so 100% of public APIs unless you filter at payload size with an F5 or scan the JSON stream ahead of time. The same index overlay API exists (shown in blog) so there is a workaround, but since it is with both Map and Pojo, I took time off from everything else to fix this. This is a quick interim patch. It just works. With this patch it should not be possible to ever do a hash key collision attack. This patch checks for Java 1.7 and above and then checks to see jdk.map.althashing.threshold is set if 1.7. If Java is below 1.7, then it uses TreeMap, if Java is 1.7 and threshold not set then this patch uses TreeMap. If Java 1.8, this patch uses LinkedHashMap. I worked on this now because I realized it was much more of an issue with Groovy than Boon (as described above), and Groovy is much more widely used.
Looks good. I am wondering if it wouldn't be safer to make the |
Done. Tests pass. Pull it. :) On Wed, May 14, 2014 at 1:22 AM, Cédric Champeau
Rick Hightower |
DDoS hash collision attack as reported by Jesse Wilson
Thank you! |
Thank you. On Wed, May 14, 2014 at 2:15 AM, Cédric Champeau
Rick Hightower |
…es questionable byte code (tidy comments - closes groovy#416)
Jesse brings out a good point, and his point might be more applicable
to Groovy. In fact, once I stopped arguing with him I realized that
Groovy was impacted a lot more than Boon, and Groovy is widely used and
Boon is not.
Also I think this impacted the old Groovy JSON parser as well but I
could be wrong. (seems to impact Jackson according to Jesse).
The issue is described here:
http://publicobject.com/2014/05/11/the-json-benchmarks-are-wrong/
Boon is less vulnerable than Groovy, but I patched it
today as well as a proof of concept for this.
http://rick-hightower.blogspot.com/2014/05/fud-gson-100x-faster-than-jackson-and.html
This is not an issue for Boon and Pojos, but it is for Groovy and Pojos.
Boon Pojo support uses the API that knows about the index overlay for
Pojos so that is why this was not an issue with Boon (it avoids using a hashmap) for Pojos.
It seems Groovy is more vulnerable because it supports JDK 1.6 (Boon
does not) and the Map to Groovy object routines would not know about
the index overlay API, and would not know to avoid the map (which Boon does
for performance).
You can see an example here on how to access the underlying index
overlay method.
http://rick-hightower.blogspot.com/2014/05/fud-gson-100x-faster-than-jackson-and.html
Like Boon, Groovy is impacted in pretty much every public API that uses a map
(rare).
Unlike Boon (which is why this is more important for Groovy) this also impacts POJO
so 100% of public APIs unless you filter at payload
size with an F5 or scan the JSON stream ahead of time. The same index
overlay API exists (shown in blog) so there is a workaround, but since
with Groovy it is with both Map and Pojo, I took time off from everything else to
fix this.
This is a quick interim patch. It just works.
With this patch it should not be possible to avoid a hash key
collision attack. This patch checks for Java 1.7 and above and then
checks to see jdk.map.althashing.threshold is set if 1.7.
See http://docs.oracle.com/javase/7/docs/technotes/guides/collections/changes7.html
If Java is below 1.7, then this patch uses TreeMap, if Java 1.7 and threshold is not set
then this patch uses TreeMap. If Java 1.8, this patch uses
LinkedHashMap.