From: "PaX Team" <pageexec@freemail.hu> To: "Theodore Ts'o" <tytso@mit.edu> Cc: kernel-hardening@lists.openwall.com, David Brown <david.brown@linaro.org>, emese Revfy <re.emese@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, spender@grsecurity.net, mmarek@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org, linux-mm@kvack.org, axboe@kernel.dk, viro@zeniv.linux.org.uk, paulmck@linux.vnet.ibm.com, mingo@redhat.com, tglx@linutronix.de, bart.vanassche@sandisk.com, davem@davemloft.net Subject: Re: [kernel-hardening] Re: [PATCH v2 1/3] Add the latent_entropy gcc plugin Date: Thu, 09 Jun 2016 19:22:29 +0200 [thread overview] Message-ID: <5759A5D5.7023.18C58969@pageexec.freemail.hu> (raw) In-Reply-To: <20160607135857.GF7057@thunk.org> On 7 Jun 2016 at 9:58, Theodore Ts'o wrote: > On Tue, Jun 07, 2016 at 02:19:14PM +0200, PaX Team wrote: > > (i believe that) latent entropy is found in more than just interrupt timing, there're > > also data dependent computations that can have entropy, either on a single system or > > across a population of them. > > It's not clear how much data dependent computations you would have in > kernel space that's not introduced by interrupts, but there would > some, I'm sure. there's plenty of such computations both during boot and later as well. starting with kernel command line options through parsing firmware provided data to hardware configurations to processing various queues, lists, trees, file systems, network packets, etc. as for interrupts specifically, latent entropy can be extracted from polled devices as well (e.g., i think even modern NICs can be turned into polling mode under sufficient load as processing packets that way is more efficient). > > i agree that sampling the kernel register state can have entropy (the plugin > > already extracts the current stack pointer) but i'm much less sure about > > userland (at least i see no dependence on !user_mode(...)) since an attacker > > could feed no entropy into the pool but still get it credited. > > Well, the attacker can't control when the interrupts happen, but it > could try to burn power by simply having a thread spin in an infinite > loop ("0: jmp 0"), sure. yes, that's one obvious way to accomplish it but even normal applications can behave in a similar way, think about spinning event loops, media decoding, etc whose sampled insn ptrs may provide less entropy than they get credited for. > All of this goes into the question of how much entropy we can assume > can be gathered per interrupt (or in the case of basic block > instrumentation, per basic block). IIRC, in the latent_entropy > patches, the assumption is that zero entropy should be credited, > correct? yes, no entropy is credited since i don't know how much there is and i tend to err on the side of safety which means crediting 0 entropy for latent entropy. of course the expectation is that it's not actually 0 but to prove any specific value or limit is beyond my skills at least. > In the case Linux's current get_interrupt_randomness(), there's a > reason I'm using a very conservative 1/64th of a bit per interrupt. i think it's not just per 64 interrupts but also after each elapsed second (i.e., whichever condition occurs first), so on an idle system (which i believe is more likely to occur on exactly those small systems that the referenced paper was concerned about) the credited entropy could be overestimated. > In practice, on most modern CPU where we have a cycle counter, a quick check for get_cycles shows that at least these archs seem to return 0: arc, avr32, cris, frv, m32r, m68k, xtensa. now you may not think of them as modern, but they're still used in real life devices. i think that latent entropy is still an option on them. cheers, PaX Team
WARNING: multiple messages have this Message-ID (diff)
From: "PaX Team" <pageexec@freemail.hu> To: Theodore Ts'o <tytso@mit.edu> Cc: kernel-hardening@lists.openwall.com, David Brown <david.brown@linaro.org>, emese Revfy <re.emese@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, spender@grsecurity.net, mmarek@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org, linux-mm@kvack.org, axboe@kernel.dk, viro@zeniv.linux.org.uk, paulmck@linux.vnet.ibm.com, mingo@redhat.com, tglx@linutronix.de, bart.vanassche@sandisk.com, davem@davemloft.net Subject: Re: [kernel-hardening] Re: [PATCH v2 1/3] Add the latent_entropy gcc plugin Date: Thu, 09 Jun 2016 19:22:29 +0200 [thread overview] Message-ID: <5759A5D5.7023.18C58969@pageexec.freemail.hu> (raw) In-Reply-To: <20160607135857.GF7057@thunk.org> On 7 Jun 2016 at 9:58, Theodore Ts'o wrote: > On Tue, Jun 07, 2016 at 02:19:14PM +0200, PaX Team wrote: > > (i believe that) latent entropy is found in more than just interrupt timing, there're > > also data dependent computations that can have entropy, either on a single system or > > across a population of them. > > It's not clear how much data dependent computations you would have in > kernel space that's not introduced by interrupts, but there would > some, I'm sure. there's plenty of such computations both during boot and later as well. starting with kernel command line options through parsing firmware provided data to hardware configurations to processing various queues, lists, trees, file systems, network packets, etc. as for interrupts specifically, latent entropy can be extracted from polled devices as well (e.g., i think even modern NICs can be turned into polling mode under sufficient load as processing packets that way is more efficient). > > i agree that sampling the kernel register state can have entropy (the plugin > > already extracts the current stack pointer) but i'm much less sure about > > userland (at least i see no dependence on !user_mode(...)) since an attacker > > could feed no entropy into the pool but still get it credited. > > Well, the attacker can't control when the interrupts happen, but it > could try to burn power by simply having a thread spin in an infinite > loop ("0: jmp 0"), sure. yes, that's one obvious way to accomplish it but even normal applications can behave in a similar way, think about spinning event loops, media decoding, etc whose sampled insn ptrs may provide less entropy than they get credited for. > All of this goes into the question of how much entropy we can assume > can be gathered per interrupt (or in the case of basic block > instrumentation, per basic block). IIRC, in the latent_entropy > patches, the assumption is that zero entropy should be credited, > correct? yes, no entropy is credited since i don't know how much there is and i tend to err on the side of safety which means crediting 0 entropy for latent entropy. of course the expectation is that it's not actually 0 but to prove any specific value or limit is beyond my skills at least. > In the case Linux's current get_interrupt_randomness(), there's a > reason I'm using a very conservative 1/64th of a bit per interrupt. i think it's not just per 64 interrupts but also after each elapsed second (i.e., whichever condition occurs first), so on an idle system (which i believe is more likely to occur on exactly those small systems that the referenced paper was concerned about) the credited entropy could be overestimated. > In practice, on most modern CPU where we have a cycle counter, a quick check for get_cycles shows that at least these archs seem to return 0: arc, avr32, cris, frv, m32r, m68k, xtensa. now you may not think of them as modern, but they're still used in real life devices. i think that latent entropy is still an option on them. cheers, PaX Team -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-06-09 17:24 UTC|newest] Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-05-30 23:30 [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Emese Revfy 2016-05-30 23:30 ` [kernel-hardening] " Emese Revfy 2016-05-30 23:30 ` Emese Revfy 2016-05-30 23:31 ` [PATCH v2 1/3] Add " Emese Revfy 2016-05-30 23:31 ` [kernel-hardening] " Emese Revfy 2016-05-30 23:31 ` Emese Revfy 2016-06-01 19:42 ` Andrew Morton 2016-06-01 19:42 ` [kernel-hardening] " Andrew Morton 2016-06-01 19:42 ` Andrew Morton 2016-06-03 17:42 ` Emese Revfy 2016-06-03 17:42 ` [kernel-hardening] " Emese Revfy 2016-06-03 17:42 ` Emese Revfy 2016-06-06 13:38 ` [kernel-hardening] " David Brown 2016-06-06 13:38 ` David Brown 2016-06-06 15:50 ` Kees Cook 2016-06-06 15:50 ` Kees Cook 2016-06-06 15:50 ` Kees Cook 2016-06-06 19:30 ` PaX Team 2016-06-06 19:30 ` PaX Team 2016-06-06 23:13 ` Theodore Ts'o 2016-06-06 23:13 ` Theodore Ts'o 2016-06-07 12:19 ` PaX Team 2016-06-07 12:19 ` PaX Team 2016-06-07 13:58 ` Theodore Ts'o 2016-06-07 13:58 ` Theodore Ts'o 2016-06-09 17:22 ` PaX Team [this message] 2016-06-09 17:22 ` PaX Team 2016-06-09 19:55 ` Theodore Ts'o 2016-06-09 19:55 ` Theodore Ts'o 2016-06-09 20:08 ` Kees Cook 2016-06-09 20:08 ` Kees Cook 2016-06-09 20:08 ` Kees Cook 2016-06-09 21:51 ` Kees Cook 2016-06-09 21:51 ` [kernel-hardening] " Kees Cook 2016-06-09 21:51 ` Kees Cook 2016-06-09 21:51 ` Kees Cook 2016-06-13 21:49 ` Emese Revfy 2016-06-13 21:49 ` [kernel-hardening] " Emese Revfy 2016-06-13 21:49 ` Emese Revfy 2016-06-13 21:49 ` Emese Revfy 2016-06-14 18:27 ` Kees Cook 2016-06-14 18:27 ` [kernel-hardening] " Kees Cook 2016-06-14 18:27 ` Kees Cook 2016-06-14 18:27 ` Kees Cook 2016-06-14 22:31 ` Emese Revfy 2016-06-14 22:31 ` [kernel-hardening] " Emese Revfy 2016-06-14 22:31 ` Emese Revfy 2016-06-14 22:31 ` Emese Revfy 2016-05-30 23:32 ` [PATCH v2 2/3] Mark functions with the latent_entropy attribute Emese Revfy 2016-05-30 23:32 ` [kernel-hardening] " Emese Revfy 2016-05-30 23:32 ` Emese Revfy 2016-05-30 23:34 ` [PATCH v2 3/3] Add the extra_latent_entropy kernel parameter Emese Revfy 2016-05-30 23:34 ` [kernel-hardening] " Emese Revfy 2016-05-30 23:34 ` Emese Revfy 2016-06-09 21:18 ` [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Kees Cook 2016-06-09 21:18 ` [kernel-hardening] " Kees Cook 2016-06-09 21:18 ` Kees Cook 2016-06-09 21:18 ` Kees Cook 2016-06-09 23:33 ` Emese Revfy 2016-06-09 23:33 ` [kernel-hardening] " Emese Revfy 2016-06-09 23:33 ` Emese Revfy 2016-06-09 23:33 ` Emese Revfy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5759A5D5.7023.18C58969@pageexec.freemail.hu \ --to=pageexec@freemail.hu \ --cc=akpm@linux-foundation.org \ --cc=axboe@kernel.dk \ --cc=bart.vanassche@sandisk.com \ --cc=davem@davemloft.net \ --cc=david.brown@linaro.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kbuild@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mingo@redhat.com \ --cc=mmarek@suse.com \ --cc=paulmck@linux.vnet.ibm.com \ --cc=re.emese@gmail.com \ --cc=spender@grsecurity.net \ --cc=tglx@linutronix.de \ --cc=tytso@mit.edu \ --cc=viro@zeniv.linux.org.uk \ --cc=yamada.masahiro@socionext.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.