[Bordeaux-threads-devel] *random-state* security problem

Lars Rune Nøstdal larsnostdal at gmail.com
Wed Jan 7 18:15:03 UTC 2009


Hi,
Is it not a bit harsh to overwrite the "parent" state of this variable with
something that never generates random numbers? I mean; say -- security etc.?

I mean, we start with making sure RANDOM is a bit more RANDOM than usual:


;; Make RANDOM, well, random.
(setf *random-state*
      (make-random-state t))


..and we trust this will stay so, even for threads -- based on the 3 points
mentioned here:
http://www.sbcl.org/manual/Special-Variables.html#Special-Variables

..especially the first point, but then we end up with:

SW> (bt:make-thread (lambda () (format t "~A~%" (random 1000))))
464
#<SB-THREAD:THREAD FINISHED values: NIL {BBB2001}>
SW> (bt:make-thread (lambda () (format t "~A~%" (random 1000))))
464
#<SB-THREAD:THREAD FINISHED values: NIL {BC487D1}>


..and we have cross-session security problems and what not pop up... :(

(..i know it is a pseudo random generator, but it is "good enough" for my
uses when set to T and combined with something from /dev/random from time to
time..)

-- 
Lars Rune Nøstdal
http://nostdal.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/bordeaux-threads-devel/attachments/20090107/f29aaa84/attachment.html>


More information about the bordeaux-threads-devel mailing list