0

I generate a hash for some objects of classes based on their memory location (in this case for a websocket object from vapor swift).

Unmanaged.passUnretained(webSocket).toOpaque().hashValue

or:

ObjectIdentifier(webSocket).hashValue

https://stackoverflow.com/a/41666807/10551293 (The answer on how to get the memory location of an object)

I thought I'd use this as an Identifier (endusers could view this). Does this open a possibility for an attack?

swift-lynx
  • 3,219
  • 3
  • 26
  • 45

1 Answers1

1

Swift provides a tool specifically for this purpose: ObjectIdentifier().

Its hash includes a per-launch random seed, specifically to frustrate hash-based attacks. Even if the attacker were to brute-force the hash (itself a significant, but possibly not impossible problem), it will not reveal the actual location in memory. This should be a secure identifier.

But be sure to use ObjectIdentifier. If an attack were discovered in the future, that's the API that would be mitigated.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • Okay, thanks. This does give me the memory location like the code in my original question. But is the hashValue of that memory location a security threat in the case I provided? – swift-lynx Dec 05 '19 at 13:50
  • Thanks, this answers the entire question. – swift-lynx Dec 05 '19 at 13:56