>> Is the platform random function good enough? The attacker has read >> access to the current time and may find a way to predict the cookie >> value.
The attacker also has access to V8::Random function itself (it is used to generate random numbers on JS side). So he can try to tinker with random generator state by calling Math.random(). -- Vyacheslav Egorov On Thu, Aug 26, 2010 at 4:40 PM, <[email protected]> wrote: > > http://codereview.chromium.org/3169050/diff/15001/16001 > File src/ia32/codegen-ia32.cc (right): > > http://codereview.chromium.org/3169050/diff/15001/16001#newcode157 > src/ia32/codegen-ia32.cc:157: jit_cookie_ = V8::Random(); > Is the platform random function good enough? The attacker has read > access to the current time and may find a way to predict the cookie > value. > > Style nit: the cookie field should be set in the initializer list like > the other fields. > > http://codereview.chromium.org/3169050/diff/15001/16001#newcode5333 > src/ia32/codegen-ia32.cc:5333: __ push(Immediate(bits ^ jit_cookie_)); > We should prevent dependency of the instruction encoding length on the > size of the immediates. Otherwise, different cookie values will produce > significantly different code and will make debugging hard. > > > http://codereview.chromium.org/3169050/show > -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
