From: Andi Kleen <andi@firstfloor.org>
To: Kees Cook <kees.cook@canonical.com>
Cc: Andi Kleen <andi@firstfloor.org>,
Roland McGrath <roland@redhat.com>,
linux-kernel@vger.kernel.org, Jakub Jelinek <jakub@redhat.com>,
Ulrich Drepper <drepper@redhat.com>,
libc-alpha@sourceware.org
Subject: Re: [PATCH] ELF: implement AT_RANDOM for future glibc use
Date: Tue, 7 Oct 2008 01:28:10 +0200 [thread overview]
Message-ID: <20081006232810.GP3180@one.firstfloor.org> (raw)
In-Reply-To: <20081006220759.GM10357@outflux.net>
On Mon, Oct 06, 2008 at 03:07:59PM -0700, Kees Cook wrote:
> On Mon, Oct 06, 2008 at 09:26:41PM +0200, Andi Kleen wrote:
> > > We're already using get_random* for stack, heap, and brk. Also,
> > > get_random* uses the nonblocking pool, so this is the same as if userspace
> > > had tried to pull bytes out of /dev/urandom, which (as I understand it)
> >
> > Yes exactly that's the problem. Think about it: do you really
> > need the same cryptographic strength for your mmap placement
> > as you need for your SSL session keys?
> >
> > And if you need true entropy for your session keys do you
> > still get it when it was all used for low security
> > purposes first?
>
> Off-list I was just shown random32(). If AT_RANDOM used that instead,
> would that be acceptable?
random32() is not a cryptographically strong RNG. I suspect it would
be pretty easy to reverse engineer its seed given some state. It hasn't
been designed to be protected against that.
While I suspect this wouldn't be a serious threat to the security
model for mmap (to break the mmap placement you would still need quite a lot of
addresses before you can predict some and I presume most apps do not leak
addresses) it would seem unnecessarily
weak to me because using a better algorithm is not very costly.
Also it might be a problem for some of the other potential users.
cryptographically strong RNGs are especially designed to make this
reverse engineering of the state hard.
Simple ones can be just a cryptographic hash + counter + secret or
the same with a encryption algorithm like AES, but there are
also algorithms who are especially designed for this like yarrow/fortuna
See
http://en.wikipedia.org/wiki/Cryptographically_secure_pseudo-random_number_generator
-Andi
--
ak@linux.intel.com
next prev parent reply other threads:[~2008-10-06 23:25 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081001201116.GD12527@outflux.net>
[not found] ` <48E3EFD6.2010704@redhat.com>
[not found] ` <20081001215657.GH12527@outflux.net>
[not found] ` <20081001220948.GC32107@sunsite.ms.mff.cuni.cz>
[not found] ` <20081001222706.68E7E1544B4@magilla.localdomain>
2008-10-03 0:16 ` [PATCH] ELF: implement AT_RANDOM for future glibc use Kees Cook
2008-10-03 0:43 ` Jakub Jelinek
2008-10-03 5:25 ` Kees Cook
2008-10-03 5:29 ` Kees Cook
2008-10-03 5:57 ` Arjan van de Ven
2008-10-03 6:25 ` Ulrich Drepper
2008-10-03 14:50 ` [PATCH] ELF: implement AT_RANDOM for glibc PRNG seeding Kees Cook
2008-10-03 14:56 ` Ulrich Drepper
2008-10-03 14:57 ` Jakub Jelinek
2008-10-03 17:33 ` Kees Cook
2008-10-03 17:41 ` Ulrich Drepper
2008-10-03 17:59 ` [PATCH v5] " Kees Cook
2008-10-18 5:42 ` Ulrich Drepper
2008-10-21 20:01 ` Andrew Morton
2008-10-21 20:22 ` Ulrich Drepper
2008-10-27 5:46 ` Andrew Morton
2008-10-03 0:52 ` [PATCH] ELF: implement AT_RANDOM for future glibc use Roland McGrath
2008-10-03 5:15 ` Kees Cook
2008-10-03 20:22 ` Roland McGrath
2008-10-06 6:00 ` Andi Kleen
2008-10-06 17:50 ` Kees Cook
2008-10-06 18:25 ` David Wagner
2008-10-06 20:23 ` Andi Kleen
2008-10-06 22:16 ` David Wagner
2008-10-06 19:26 ` Andi Kleen
2008-10-06 22:01 ` Kees Cook
2008-10-06 23:19 ` Andi Kleen
2008-10-06 23:29 ` Kees Cook
2008-10-06 23:44 ` Andi Kleen
2008-10-06 22:07 ` Kees Cook
2008-10-06 23:28 ` Andi Kleen [this message]
2008-10-06 23:58 ` Roland McGrath
2008-10-07 0:08 ` Ulrich Drepper
2008-10-07 0:31 ` Kees Cook
2008-10-07 0:57 ` Ulrich Drepper
2008-10-07 1:44 ` Kees Cook
2008-10-07 1:51 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081006232810.GP3180@one.firstfloor.org \
--to=andi@firstfloor.org \
--cc=drepper@redhat.com \
--cc=jakub@redhat.com \
--cc=kees.cook@canonical.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).