All of lore.kernel.org
 help / color / mirror / Atom feed
From: Florian Weimer <fweimer@bfk.de>
To: Matt Mackall <mpm@selenic.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Ingo Molnar <mingo@elte.hu>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Arjan van de Ven <arjan@infradead.org>, Jake Edge <jake@lwn.net>,
	security@kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	James Morris <jmorris@namei.org>,
	linux-security-module@vger.kernel.org,
	Eric Paris <eparis@redhat.com>,
	Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Roland McGrath <roland@redhat.com>,
	mingo@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
	Greg KH <greg@kroah.com>, Dave Jones <davej@redhat.com>
Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes
Date: Thu, 07 May 2009 17:16:27 +0200	[thread overview]
Message-ID: <82prel54fo.fsf@mid.bfk.de> (raw)
In-Reply-To: <20090506175717.GY31071@waste.org> (Matt Mackall's message of "Wed, 6 May 2009 12:57:17 -0500")

* Matt Mackall:

> On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
>> 
>> Matt, are you willing to ack my suggested patch which adds history to the 
>> mix? Did somebody test that? I have this memory of there being an 
>> "exploit" program to show the non-randomness of the values, but I can't 
>> recall details, and would really want to get a second opinion from 
>> somebody who cares about PRNG's.
>
> I still don't like it. I bounced it off some folks on the adversarial
> side of things and they didn't think it looked strong enough either.
> Full MD5 collisions can be generated about as fast as they can be
> checked, which makes _reduced strength_ MD4 not much better than an
> LFSR in terms of attack potential.

Well, with periodic reseeding, even that shouldn't be a problem.  You
don't need collision resistance at all, so those MD5 attacks don't
tell you anything about the difficulty of state recovery/prediction
attacks on your variant.  (The trouble with hash functions is that
they haven't got any secrets to work from.  With seeded PRNGs, this is
obviously different.)

On the other hand, most people who need a quick, unpredictable source
of randomness seem to use RC4 with a random key initialized from a
more costly source.  (If you're paranoid, you should discard the first
few hundred bytes.)  The nice thing is that you can use a well-tested
primitive, unchanged, so it's easier to avoid nasty suprises.

Oh, and you should really, really ditch that Tausworthe generator (in
lib/random32.c).

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

  parent reply	other threads:[~2009-05-07 15:29 UTC|newest]

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-04 18:51 [PATCH] proc: avoid information leaks to non-privileged processes Jake Edge
2009-05-04 19:00 ` [Security] " Linus Torvalds
2009-05-04 19:51   ` Arjan van de Ven
2009-05-04 20:20     ` Eric W. Biederman
2009-05-04 22:24       ` Linus Torvalds
2009-05-04 23:26         ` Arjan van de Ven
2009-05-04 23:54         ` Linus Torvalds
2009-05-05  7:51           ` Eric W. Biederman
2009-05-05 15:17             ` Linus Torvalds
2009-05-05 15:35               ` Linus Torvalds
2009-05-05 16:18                 ` Matt Mackall
2009-05-05 16:10               ` Matt Mackall
2009-05-05  5:50         ` Matt Mackall
2009-05-05  6:31           ` Ingo Molnar
2009-05-05  8:14             ` Eric W. Biederman
2009-05-05 19:52               ` Ingo Molnar
2009-05-05 20:22                 ` Matt Mackall
2009-05-05 21:20                   ` Eric W. Biederman
2009-05-06 10:33                     ` Ingo Molnar
2009-05-06 10:30                   ` Ingo Molnar
2009-05-06 16:25                     ` Matt Mackall
2009-05-06 16:48                       ` Linus Torvalds
2009-05-06 17:57                         ` Matt Mackall
2009-05-07  0:50                           ` Matt Mackall
2009-05-07 15:02                             ` Ingo Molnar
2009-05-07 18:14                               ` Matt Mackall
2009-05-07 18:21                                 ` Ingo Molnar
2009-05-07 18:41                                 ` Ingo Molnar
2009-05-07 19:24                                   ` Matt Mackall
2009-05-07 15:16                           ` Florian Weimer [this message]
2009-05-07 16:55                             ` Matt Mackall
2009-05-07 17:53                               ` Linus Torvalds
2009-05-07 18:42                                 ` Matt Mackall
2009-05-06 20:09                         ` [patch] random: make get_random_int() more random Ingo Molnar
2009-05-06 20:41                           ` Matt Mackall
2009-05-06 20:51                             ` Ingo Molnar
2009-05-06 21:10                               ` Matt Mackall
2009-05-06 21:24                                 ` Ingo Molnar
2009-05-14 22:47                           ` Jake Edge
2009-05-14 22:55                             ` [Security] " Linus Torvalds
2009-05-15 13:47                               ` Ingo Molnar
2009-05-15 15:10                                 ` Jake Edge
2009-05-16 10:00                                 ` Willy Tarreau
2009-05-16 10:39                                   ` Ingo Molnar
2009-05-16 12:02                                     ` Eric W. Biederman
2009-05-16 14:00                                       ` Michael S. Zick
2009-05-16 14:28                                         ` Michael S. Zick
2009-05-16 14:57                                           ` Arjan van de Ven
2009-05-16 15:09                                             ` Michael S. Zick
2009-05-16 14:32                                       ` Matt Mackall
2009-05-16 13:58                                     ` Willy Tarreau
2009-05-16 15:23                                       ` Linus Torvalds
2009-05-16 15:47                                         ` Willy Tarreau
2009-05-16 15:54                                         ` Oliver Neukum
2009-05-16 16:05                                           ` Linus Torvalds
2009-05-16 16:17                                             ` Linus Torvalds
2009-05-15  1:16                           ` Américo Wang
2009-05-06 20:25                       ` [Security] [PATCH] proc: avoid information leaks to non-privileged processes Ingo Molnar
2009-05-06 20:52                         ` Matt Mackall
2009-05-05  8:58           ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=82prel54fo.fsf@mid.bfk.de \
    --to=fweimer@bfk.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=arjan@infradead.org \
    --cc=davej@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=eparis@redhat.com \
    --cc=greg@kroah.com \
    --cc=jake@lwn.net \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mingo@redhat.com \
    --cc=mpm@selenic.com \
    --cc=roland@redhat.com \
    --cc=security@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.