From: "Theodore Ts'o" <tytso@mit.edu>
To: PaX Team <pageexec@freemail.hu>
Cc: kernel-hardening@lists.openwall.com,
David Brown <david.brown@linaro.org>,
emese Revfy <re.emese@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
spender@grsecurity.net, mmarek@suse.com, keescook@chromium.org,
linux-kernel@vger.kernel.org, yamada.masahiro@socionext.com,
linux-kbuild@vger.kernel.org, linux-mm@kvack.org,
axboe@kernel.dk, viro@zeniv.linux.org.uk,
paulmck@linux.vnet.ibm.com, mingo@redhat.com, tglx@linutronix.de,
bart.vanassche@sandisk.com, davem@davemloft.net
Subject: Re: [kernel-hardening] Re: [PATCH v2 1/3] Add the latent_entropy gcc plugin
Date: Thu, 9 Jun 2016 15:55:33 -0400 [thread overview]
Message-ID: <20160609195533.GE5421@thunk.org> (raw)
In-Reply-To: <5759A5D5.7023.18C58969@pageexec.freemail.hu>
On Thu, Jun 09, 2016 at 07:22:29PM +0200, PaX Team wrote:
> > Well, the attacker can't control when the interrupts happen, but it
> > could try to burn power by simply having a thread spin in an infinite
> > loop ("0: jmp 0"), sure.
>
> yes, that's one obvious way to accomplish it but even normal applications can
> behave in a similar way, think about spinning event loops, media decoding, etc
> whose sampled insn ptrs may provide less entropy than they get credited for.
Sure, as long as we're assuming less than one bit of entropy per
interrupt, even for a loop which which is:
1: cmpl $1, -8(%rsp)
jz 1b
there would still be *some* uncertainty. And with an event loop there
would be more instructions to sample. Granted, the number of cycles
spent in each will be different, so there will be some biasing, but
that's one of the reason why we've been using 1/64 bit per interrupt.
> yes, no entropy is credited since i don't know how much there is and i tend to err
> on the side of safety which means crediting 0 entropy for latent entropy. of course
> the expectation is that it's not actually 0 but to prove any specific value or limit
> is beyond my skills at least.
Sure, that's fair.
> i think it's not just per 64 interrupts but also after each elapsed second (i.e.,
> whichever condition occurs first), so on an idle system (which i believe is more
> likely to occur on exactly those small systems that the referenced paper was concerned
> about) the credited entropy could be overestimated.
That's a fair concern. It might be that we should enforce some
minimum (at least 8 interrupts in all cases), but this is where it's
all about hueristics, especially on those systems that don't have random_get_entropy().
> > In practice, on most modern CPU where we have a cycle counter,
>
> a quick check for get_cycles shows that at least these archs seem to return 0:
> arc, avr32, cris, frv, m32r, m68k, xtensa. now you may not think of them as modern,
> but they're still used in real life devices. i think that latent entropy is still
> an option on them.
It's possible for a system not to have a cycle counter, but to have
something that can be used instead for random_get_entropy. That's
only being used for the m68k/amiga and mips/R6000[A] cases, but I keep
hoping that the archiecture maintainers for osme of these other
oddball platform (is that better than "non-modern"? :-) will come up
with something, but yes, it is those platforms where I've always been
the most worried. On the one hand, if the hardware is crap, there's
very little you can do. Unfortnuately, very often these crap
architectures have a very low BOM cost, so they are most likely to be
used in IOT devices. :-(
One could try to claim that these IOT devics won't have upgradeable
firmware and, so they'll probably be security disasters even without a
good random number generators, but oddly, that doesn't give me much
solace...
And in the end, that may be the strongest argment for the
latent_entropy plugin. Even if it doesn't provide a lot of extra
entropy, on those platforms we're going to be so starved of real
entropy that almost anything will be better than what we have today.
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: Theodore Ts'o <tytso@mit.edu>
To: PaX Team <pageexec@freemail.hu>
Cc: kernel-hardening@lists.openwall.com,
David Brown <david.brown@linaro.org>,
emese Revfy <re.emese@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
spender@grsecurity.net, mmarek@suse.com, keescook@chromium.org,
linux-kernel@vger.kernel.org, yamada.masahiro@socionext.com,
linux-kbuild@vger.kernel.org, linux-mm@kvack.org,
axboe@kernel.dk, viro@zeniv.linux.org.uk,
paulmck@linux.vnet.ibm.com, mingo@redhat.com, tglx@linutronix.de,
bart.vanassche@sandisk.com, davem@davemloft.net
Subject: Re: [kernel-hardening] Re: [PATCH v2 1/3] Add the latent_entropy gcc plugin
Date: Thu, 9 Jun 2016 15:55:33 -0400 [thread overview]
Message-ID: <20160609195533.GE5421@thunk.org> (raw)
In-Reply-To: <5759A5D5.7023.18C58969@pageexec.freemail.hu>
On Thu, Jun 09, 2016 at 07:22:29PM +0200, PaX Team wrote:
> > Well, the attacker can't control when the interrupts happen, but it
> > could try to burn power by simply having a thread spin in an infinite
> > loop ("0: jmp 0"), sure.
>
> yes, that's one obvious way to accomplish it but even normal applications can
> behave in a similar way, think about spinning event loops, media decoding, etc
> whose sampled insn ptrs may provide less entropy than they get credited for.
Sure, as long as we're assuming less than one bit of entropy per
interrupt, even for a loop which which is:
1: cmpl $1, -8(%rsp)
jz 1b
there would still be *some* uncertainty. And with an event loop there
would be more instructions to sample. Granted, the number of cycles
spent in each will be different, so there will be some biasing, but
that's one of the reason why we've been using 1/64 bit per interrupt.
> yes, no entropy is credited since i don't know how much there is and i tend to err
> on the side of safety which means crediting 0 entropy for latent entropy. of course
> the expectation is that it's not actually 0 but to prove any specific value or limit
> is beyond my skills at least.
Sure, that's fair.
> i think it's not just per 64 interrupts but also after each elapsed second (i.e.,
> whichever condition occurs first), so on an idle system (which i believe is more
> likely to occur on exactly those small systems that the referenced paper was concerned
> about) the credited entropy could be overestimated.
That's a fair concern. It might be that we should enforce some
minimum (at least 8 interrupts in all cases), but this is where it's
all about hueristics, especially on those systems that don't have random_get_entropy().
> > In practice, on most modern CPU where we have a cycle counter,
>
> a quick check for get_cycles shows that at least these archs seem to return 0:
> arc, avr32, cris, frv, m32r, m68k, xtensa. now you may not think of them as modern,
> but they're still used in real life devices. i think that latent entropy is still
> an option on them.
It's possible for a system not to have a cycle counter, but to have
something that can be used instead for random_get_entropy. That's
only being used for the m68k/amiga and mips/R6000[A] cases, but I keep
hoping that the archiecture maintainers for osme of these other
oddball platform (is that better than "non-modern"? :-) will come up
with something, but yes, it is those platforms where I've always been
the most worried. On the one hand, if the hardware is crap, there's
very little you can do. Unfortnuately, very often these crap
architectures have a very low BOM cost, so they are most likely to be
used in IOT devices. :-(
One could try to claim that these IOT devics won't have upgradeable
firmware and, so they'll probably be security disasters even without a
good random number generators, but oddly, that doesn't give me much
solace...
And in the end, that may be the strongest argment for the
latent_entropy plugin. Even if it doesn't provide a lot of extra
entropy, on those platforms we're going to be so starved of real
entropy that almost anything will be better than what we have today.
- Ted
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-06-09 19:56 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 23:30 [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Emese Revfy
2016-05-30 23:30 ` [kernel-hardening] " Emese Revfy
2016-05-30 23:30 ` Emese Revfy
2016-05-30 23:31 ` [PATCH v2 1/3] Add " Emese Revfy
2016-05-30 23:31 ` [kernel-hardening] " Emese Revfy
2016-05-30 23:31 ` Emese Revfy
2016-06-01 19:42 ` Andrew Morton
2016-06-01 19:42 ` [kernel-hardening] " Andrew Morton
2016-06-01 19:42 ` Andrew Morton
2016-06-03 17:42 ` Emese Revfy
2016-06-03 17:42 ` [kernel-hardening] " Emese Revfy
2016-06-03 17:42 ` Emese Revfy
2016-06-06 13:38 ` [kernel-hardening] " David Brown
2016-06-06 13:38 ` David Brown
2016-06-06 15:50 ` Kees Cook
2016-06-06 15:50 ` Kees Cook
2016-06-06 15:50 ` Kees Cook
2016-06-06 19:30 ` PaX Team
2016-06-06 19:30 ` PaX Team
2016-06-06 23:13 ` Theodore Ts'o
2016-06-06 23:13 ` Theodore Ts'o
2016-06-07 12:19 ` PaX Team
2016-06-07 12:19 ` PaX Team
2016-06-07 13:58 ` Theodore Ts'o
2016-06-07 13:58 ` Theodore Ts'o
2016-06-09 17:22 ` PaX Team
2016-06-09 17:22 ` PaX Team
2016-06-09 19:55 ` Theodore Ts'o [this message]
2016-06-09 19:55 ` Theodore Ts'o
2016-06-09 20:08 ` Kees Cook
2016-06-09 20:08 ` Kees Cook
2016-06-09 20:08 ` Kees Cook
2016-06-09 21:51 ` Kees Cook
2016-06-09 21:51 ` [kernel-hardening] " Kees Cook
2016-06-09 21:51 ` Kees Cook
2016-06-09 21:51 ` Kees Cook
2016-06-13 21:49 ` Emese Revfy
2016-06-13 21:49 ` [kernel-hardening] " Emese Revfy
2016-06-13 21:49 ` Emese Revfy
2016-06-13 21:49 ` Emese Revfy
2016-06-14 18:27 ` Kees Cook
2016-06-14 18:27 ` [kernel-hardening] " Kees Cook
2016-06-14 18:27 ` Kees Cook
2016-06-14 18:27 ` Kees Cook
2016-06-14 22:31 ` Emese Revfy
2016-06-14 22:31 ` [kernel-hardening] " Emese Revfy
2016-06-14 22:31 ` Emese Revfy
2016-06-14 22:31 ` Emese Revfy
2016-05-30 23:32 ` [PATCH v2 2/3] Mark functions with the latent_entropy attribute Emese Revfy
2016-05-30 23:32 ` [kernel-hardening] " Emese Revfy
2016-05-30 23:32 ` Emese Revfy
2016-05-30 23:34 ` [PATCH v2 3/3] Add the extra_latent_entropy kernel parameter Emese Revfy
2016-05-30 23:34 ` [kernel-hardening] " Emese Revfy
2016-05-30 23:34 ` Emese Revfy
2016-06-09 21:18 ` [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Kees Cook
2016-06-09 21:18 ` [kernel-hardening] " Kees Cook
2016-06-09 21:18 ` Kees Cook
2016-06-09 21:18 ` Kees Cook
2016-06-09 23:33 ` Emese Revfy
2016-06-09 23:33 ` [kernel-hardening] " Emese Revfy
2016-06-09 23:33 ` Emese Revfy
2016-06-09 23:33 ` Emese Revfy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160609195533.GE5421@thunk.org \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@sandisk.com \
--cc=davem@davemloft.net \
--cc=david.brown@linaro.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=mmarek@suse.com \
--cc=pageexec@freemail.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=re.emese@gmail.com \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.