[Bordeaux-threads-devel] *random-state* security problem
Lars Rune Nøstdal
larsnostdal at gmail.com
Wed Jan 7 18:15:03 UTC 2009
Hi,
Is it not a bit harsh to overwrite the "parent" state of this variable with
something that never generates random numbers? I mean; say -- security etc.?
I mean, we start with making sure RANDOM is a bit more RANDOM than usual:
;; Make RANDOM, well, random.
(setf *random-state*
(make-random-state t))
..and we trust this will stay so, even for threads -- based on the 3 points
mentioned here:
http://www.sbcl.org/manual/Special-Variables.html#Special-Variables
..especially the first point, but then we end up with:
SW> (bt:make-thread (lambda () (format t "~A~%" (random 1000))))
464
#<SB-THREAD:THREAD FINISHED values: NIL {BBB2001}>
SW> (bt:make-thread (lambda () (format t "~A~%" (random 1000))))
464
#<SB-THREAD:THREAD FINISHED values: NIL {BC487D1}>
..and we have cross-session security problems and what not pop up... :(
(..i know it is a pseudo random generator, but it is "good enough" for my
uses when set to T and combined with something from /dev/random from time to
time..)
--
Lars Rune Nøstdal
http://nostdal.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/bordeaux-threads-devel/attachments/20090107/f29aaa84/attachment.html>
More information about the bordeaux-threads-devel
mailing list