Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

From: Matt Mackall <mpm@selenic.com>
To: Florian Weimer <fweimer@bfk.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Ingo Molnar <mingo@elte.hu>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Arjan van de Ven <arjan@infradead.org>, Jake Edge <jake@lwn.net>,
	security@kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	James Morris <jmorris@namei.org>,
	linux-security-module@vger.kernel.org,
	Eric Paris <eparis@redhat.com>,
	Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Roland McGrath <roland@redhat.com>,
	mingo@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
	Greg KH <greg@kroah.com>, Dave Jones <davej@redhat.com>
Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes
Date: Thu, 7 May 2009 11:55:45 -0500	[thread overview]
Message-ID: <20090507165545.GK31071@waste.org> (raw)
In-Reply-To: <82prel54fo.fsf@mid.bfk.de>

On Thu, May 07, 2009 at 05:16:27PM +0200, Florian Weimer wrote:
> * Matt Mackall:
> 
> > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> >> 
> >> Matt, are you willing to ack my suggested patch which adds history to the 
> >> mix? Did somebody test that? I have this memory of there being an 
> >> "exploit" program to show the non-randomness of the values, but I can't 
> >> recall details, and would really want to get a second opinion from 
> >> somebody who cares about PRNG's.
> >
> > I still don't like it. I bounced it off some folks on the adversarial
> > side of things and they didn't think it looked strong enough either.
> > Full MD5 collisions can be generated about as fast as they can be
> > checked, which makes _reduced strength_ MD4 not much better than an
> > LFSR in terms of attack potential.
> 
> Well, with periodic reseeding, even that shouldn't be a problem.  You
> don't need collision resistance at all, so those MD5 attacks don't
> tell you anything about the difficulty of state recovery/prediction
> attacks on your variant.

It's *not* MD5. It's a reduced-round MD4. And MD4 is already many
orders of magnitude weaker than MD5. It's so weak in fact that
collisions can be generated in O(1)[1]. Hard to get much weaker than
that, except by, say, using something like our reduced-round variant.

It's not much of a stretch of the imagination to think that such an
amazingly weak hash might reveal our hidden state quite rapidly,
especially when used in a feedback mode.

[1] http://eprint.iacr.org/2005/151.pdf

We have a better hash function handy, and it's only takes twice as long.

> On the other hand, most people who need a quick, unpredictable source
> of randomness seem to use RC4 with a random key initialized from a
> more costly source.

Using a stream cipher is a fine idea. Ted and I have recently
discussed adding this as a layer to the stock RNG. We haven't used it
historically because of a) export restrictions and b) unsuitability of
the cryptoapi interface.

> Oh, and you should really, really ditch that Tausworthe generator (in
> lib/random32.c).

I'm not responsible for that particular bad idea.

-- 
Mathematics is the supreme nostalgia of our time.