Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

why do perl, ruby use /dev/urandom

Tags:

python

linux

bash

ruby

perl

I strace'd a simple script using perl and bash.

$ strace perl -e 'echo "test";' 2>&1 | grep 'random'
open("/dev/urandom", O_RDONLY)          = 3
$ strace bash 'echo "test"' 2>&1 | grep 'random'
$

Why does perl need the pseudorandom number generator for such a trivial script? I would expect opening /dev/urandom only after the first use of random data.

Edit: I also tested python and ruby

$ strace python -c 'print "test"' 2>&1 | grep random
$
$ strace ruby -e 'print "test\n"' 2>&1 | grep random
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC) = 3

Why do perl and ruby open it with different modes?

like image 216
dimid Avatar asked Nov 17 '14 22:11

dimid

People also ask

What does cat Dev urandom do?

cat /dev/urandom will give you a stream of random bytes between 0 and 255 , not all of those values are valid text characters. Because the terminal window was feed invalid data it was never expected to handle it could get the terminal application in to a "broken" state.

What is Dev urandom?

The /dev/random and /dev/urandom files are special files that are a source for random bytes generated by the kernel random number generator device. The /dev/random and /dev/urandom files are suitable for applications requiring high quality random numbers for cryptographic purposes.

What does random urandom device do?

The /dev/urandom device provides a reliable source of random output, however the output will not be generated from an equal amount of random input if insufficient input is available. Reads from the /dev/urandom device always return the quantity of output requested without blocking.

What is the difference between Dev random and Dev urandom?

The key difference between /dev/random versus /dev/urandom is whether a threshold of enough entropy has to be reached before random numbers are generated. Reading from /dev/random will be put on hold if the kernel has not gathered enough entropy to provide the requested amount of data.

1 Answers

Try searching for "Denial of Service via Algorithmic Complexity Attacks".

In brief, if a Perl script accepts outside input (from a file, network, etc) and stores that data in a hash, an attacker who can influence the data can exploit the hashing algorithm to deteriorate hashes (O(1) lookups) into linked lists (O(N) lookups). To defend against this type of attack, certain parameters of the hashing algorithm are randomised at program start-up so that an attacker cannot construct a sequence of hash keys that will cause a problem.

This is obviously not specific to Perl. Any program which uses a hashing algorithm is potentially vulnerable to this type of attack.

like image 65
Grant McLean Avatar answered Sep 20 '22 14:09

Grant McLean
Sign in to Comment

Related questions

How to center a window with PyGObject
Numpy: Difference between a[i][j] and a[i,j]
How to use a callback function in python?
Scrapy Vs Nutch [closed]
Is freeing handled differently for small/large numpy arrays?
How to load sentences into Python gensim?
Generate equation with the result value closest to the requested one, have speed problems
Using a different schema for the same declarative Base in sqlalchemy
Resize display resolution using python with cross platform support
dir() without built-in methods
Jinja2 Exception Handling
Fast/Optimize N-gram implementations in python
Accessing the list while being sorted
Python MySQL Connector executing second sql statement within cursor loop?
How to use gdb python debugging extension inside virtualenv
How to center text vertically inside a text input in kv file?
FastCGI WSGI library in Python 3?
How would one decorate an inherited method in the child class?
Extremely slow import of matplotlib afm
Patching sshuttle's firewall.py -- IPFW to PF [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!