Q. Is the uniform hashing assumption important in practice?
A. Obvious situations: aircraft control, nuclear reactor, pacemaker.
A. Surprising situations: denial-of-service attacks.
Real-world exploits. [Crosby-Wallach 2003]
Bro server: send carefully chosen packets to DOS the server,
using less bandwidth than a dial-up modem.
Perl 5.8.0: insert carefully chosen strings into associative array.
Linux 2.4.20 kernel: save files with carefully chosen names.
Description
Comment 2
Comment 11
Format For Printing - XML - Clone This Bug - Last Comment
Bug 750533 - (CVE-2012-2739) CVE-2012-2739 java: hash table collisions
CPU usage DoS (oCERT-2011-003)
Status: ASSIGNED
Aliases: CVE-2012-2739 (edit)
Product: Security Response
Component: vulnerability (Show other bugs)
Version(s): unspecified
Platform: All Linux
Priority: medium Severity: medium
Target Milestone: ---
Target Release: ---
Assigned To: Red Hat Security Response Team
QA Contact:
URL:
Whiteboard: impact=moderate,public=20111228,repor...
Keywords: Reopened, Security
Depends On:
Blocks: hashdos/oCERT-2011-003 750536
Show dependency tree / graph
Reported: 2011-11-01 10:13 EDT by Jan Lieskovsky
Modified: 2012-11-27 10:50 EST (History)
CC List: 8 users (show)
See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-29 07:40:08
Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)
Groups: None (edit)
Jan Lieskovsky 2011-11-01 10:13:47 EDT
Julian Wälde and Alexander Klink reported that the String.hashCode() hash function is not sufficiently collision
resistant. hashCode() value is used in the implementations of HashMap and Hashtable classes:
http://docs.oracle.com/javase/6/docs/api/java/util/HashMap.html
http://docs.oracle.com/javase/6/docs/api/java/util/Hashtable.html
A specially-crafted set of keys could trigger hash function collisions, which can degrade performance of HashMap
or Hashtable by changing hash table operations complexity from an expected/average O(1) to the worst case O(n).
Reporters were able to find colliding strings efficiently using equivalent substrings and meet in the middle
techniques.
This problem can be used to start a denial of service attack against Java applications that use untrusted inputs
as HashMap or Hashtable keys. An example of such application is web application server (such as tomcat, see bug
#750521) that may fill hash tables with data from HTTP request (such as GET or POST parameters). A remote
attack could use that to make JVM use excessive amount of CPU time by sending a POST request with large amount
of parameters which hash to the same value.
This problem is similar to the issue that was previously reported for and fixed
in e.g. perl:
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
Jan Lieskovsky 2011-11-01 10:18:44 EDT
Acknowledgements:
Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink
as the original reporters.
Tomas Hoger 2011-12-29 07:23:27 EST
This issue was presented on 28C3:
http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
Details were posted to full-disclosure:
http://seclists.org/fulldisclosure/2011/Dec/477