search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.12k stars 4.7k forks source link

Hashtable has lower hash flooding resistance than Dictionary #108923

Open MihaZupan opened 13 hours ago

MihaZupan commented 13 hours ago

Description

Dictionary<string, ...> and some similar types have built-in defense-in-depth functionality that uses per-instance hash code randomization to defend against hash flooding attacks.

While Hashtable has similar logic on .NET Framework when dealing with string keys, it does not on modern .NET. While hash codes may be randomized if the instance was created with a comparer like Ordinal, they won't be randomized per-instance.

See "Instantiations known safe against hash flooding attacks" section of the Dictionary threat model being published in #108864 for more background. cc: @GrabYourPitchforks

Known Workarounds

Use a Dictionary instead :)

dotnet-policy-service[bot] commented 13 hours ago

Tagging subscribers to this area: @dotnet/area-system-collections See info in area-owners.md if you want to be subscribed.