Node: Address HashWick

Created on 4 Oct 2018  路  6Comments  路  Source: nodejs/node

See https://darksi.de/12.hashwick-v8-vulnerability/

V8 Engine security
Source
picture hashseed

Most helpful comment

I'm going to reopen this because we don't have full closure. At this stage I'd define closure as a public communication about status and impact. As far as I'm aware there are no plans for further technical changes (SipHash backport would be the only possible additional technical change but I don't believe that's practical?).

There was a conversation in private (https://github.com/nodejs-private/security/issues/198) about next steps, but that's gone stale as of a month ago so we may as well have it here.

I suggested that we formulate communication that outlined something like the following:

  • Node 6 won't be fixed, too old and EOL soon anyway
  • 64-bit seeds make HashWick much less risky, but theoretically not entirely impossible to exploit. Node 8 and 10 have that.
  • Only Node 11+ get SipHash which makes HashWick go away (inasmuch as we can be certain about these things). Node 11 and 12 have that.
  • We are not aware of any practical exploit of HashWick in the wild and believe you'll be safe with just 64-bit hash seeds in Node 8 and 10. Node 12 will be an important upgrade if you are concerned about this risk and want to be as certain as we are that it's fixed.

That last point being the tricky one to communicate.

I haven't drafted anything beyond those points but if someone else wants to take this ball and draft something to post on https://nodejs.org/en/blog/vulnerability/ then be my guest.

I still think the write-up I did about this is the most approachable public summary of the problem: https://nodesource.com/blog/node-js-and-the-hashwick-vulnerability/ although Fedor had some technical quibbles, see responses to https://twitter.com/NodeSource/status/1033009653062545408. This could be used as a reference to better explain the problem, along with https://darksi.de/12.hashwick-v8-vulnerability/.

picture rvagg on 29 Mar 2019
👍3

All 6 comments

I implemented siphash in V8 already and also merged the patch into node master, but am really busy these days. Can someone port this to gyp to enable it in node?

hashseed picture hashseed on 13 Feb 2019

I implemented siphash in V8 already and also merged the patch into node master, but am really busy these days. Can someone port this to gyp to enable it in node?

@nodejs/node-gyp

Trott picture Trott on 13 Feb 2019

I believe this has now been addressed by https://github.com/nodejs/node/pull/26367 which is active in 11.12.0. Please reopen if I am mistaken.

richardlau picture richardlau on 28 Mar 2019

I'm going to reopen this because we don't have full closure. At this stage I'd define closure as a public communication about status and impact. As far as I'm aware there are no plans for further technical changes (SipHash backport would be the only possible additional technical change but I don't believe that's practical?).

There was a conversation in private (https://github.com/nodejs-private/security/issues/198) about next steps, but that's gone stale as of a month ago so we may as well have it here.

I suggested that we formulate communication that outlined something like the following:

  • Node 6 won't be fixed, too old and EOL soon anyway
  • 64-bit seeds make HashWick much less risky, but theoretically not entirely impossible to exploit. Node 8 and 10 have that.
  • Only Node 11+ get SipHash which makes HashWick go away (inasmuch as we can be certain about these things). Node 11 and 12 have that.
  • We are not aware of any practical exploit of HashWick in the wild and believe you'll be safe with just 64-bit hash seeds in Node 8 and 10. Node 12 will be an important upgrade if you are concerned about this risk and want to be as certain as we are that it's fixed.

That last point being the tricky one to communicate.

I haven't drafted anything beyond those points but if someone else wants to take this ball and draft something to post on https://nodejs.org/en/blog/vulnerability/ then be my guest.

I still think the write-up I did about this is the most approachable public summary of the problem: https://nodesource.com/blog/node-js-and-the-hashwick-vulnerability/ although Fedor had some technical quibbles, see responses to https://twitter.com/NodeSource/status/1033009653062545408. This could be used as a reference to better explain the problem, along with https://darksi.de/12.hashwick-v8-vulnerability/.

rvagg picture rvagg on 29 Mar 2019
👍3

Ping @rvagg ... where are we at on this?

jasnell picture jasnell on 26 Jun 2020

Don't remember. Did 10.x ever get a V8 that had SipHash? Maybe not. This is for someone else to take up if they think it's still something to be concerned about (hint: it is, but it's a question of how much, SipHash just makes it slightly less practical).

rvagg picture rvagg on 26 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dfahlander picture dfahlander  路  3Comments
Brekmister picture Brekmister  路  3Comments
addaleax picture addaleax  路  3Comments
mcollina picture mcollina  路  3Comments
seishun picture seishun  路  3Comments