English version
Accueil     À propos     Téléchargement     Ressources     Contactez-nous    

Ce site est rarement mis à jour. Pour les informations les plus récentes, rendez-vous sur le nouveau site OCaml à l'adresse ocaml.org.

Browse thread
[Caml-list] How to secure an OCaml server
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2004-02-28 (19:29)
From: Richard Jones <rich@a...>
Subject: Re: [Caml-list] How to secure an OCaml server
On Sat, Feb 28, 2004 at 06:06:01PM +0100, Thomas Fischbacher wrote:
> On Sat, 28 Feb 2004, Richard Jones wrote:
> > On Sun, Feb 29, 2004 at 01:44:10AM +0900, Yutaka OIWA wrote:
> > > Unlike C and C++, Objective Caml has strong builtin protection for
> > > array boundary overflow.  You can expect that inputs which usually
> > > cause arbitrary code execution (like viruses and worms) do not cause
> > > such catastrophe, but only make your programs report runtime exception
> > > and then halt.
> > 
> > Remember the corollary of having safe arrays is that people can DoS
> > your server by opening a socket and writing .. and writing .. and
> > writing.  It's always a good idea to either implement your own
> > sensible maximums on the length of strings / arrays, or at least run
> > your module with a BSD resource-style limit (setrlimit(2)).
> Yes. Another interesting issue that frequently comes up in such situations 
> is provoking hash collisions.

Yes, right!  I forgot about that one, but it's very important.  IIRC
Perl 5.8.0 changed hashes so there is some randomness in the hashing
function, which reduces the possibility of this sort of attack.


Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
PTHRLIB is a library for writing small, efficient and fast servers in C.
HTTP, CGI, DBI, lightweight threads: http://www.annexia.org/freeware/pthrlib/

To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners