linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andi Kleen <andi@firstfloor.org>
To: Kees Cook <kees.cook@canonical.com>
Cc: Andi Kleen <andi@firstfloor.org>,
	Roland McGrath <roland@redhat.com>,
	linux-kernel@vger.kernel.org, Jakub Jelinek <jakub@redhat.com>,
	Ulrich Drepper <drepper@redhat.com>,
	libc-alpha@sourceware.org
Subject: Re: [PATCH] ELF: implement AT_RANDOM for future glibc use
Date: Tue, 7 Oct 2008 01:28:10 +0200	[thread overview]
Message-ID: <20081006232810.GP3180@one.firstfloor.org> (raw)
In-Reply-To: <20081006220759.GM10357@outflux.net>

On Mon, Oct 06, 2008 at 03:07:59PM -0700, Kees Cook wrote:
> On Mon, Oct 06, 2008 at 09:26:41PM +0200, Andi Kleen wrote:
> > > We're already using get_random* for stack, heap, and brk.  Also,
> > > get_random* uses the nonblocking pool, so this is the same as if userspace
> > > had tried to pull bytes out of /dev/urandom, which (as I understand it)
> > 
> > Yes exactly that's the problem. Think about it: do you really 
> > need the same cryptographic strength for your mmap placement
> > as you need for your SSL session keys?
> > 
> > And if you need true entropy for your session keys do you
> > still get it when it was all used for low security 
> > purposes first?
> 
> Off-list I was just shown random32().  If AT_RANDOM used that instead,
> would that be acceptable?

random32() is not a cryptographically strong RNG. I suspect it would
be pretty easy to reverse engineer its seed given some state. It hasn't
been designed to be protected against that.

While I suspect this wouldn't be a serious threat to the security
model for mmap (to break the mmap placement you would still need quite a lot of
addresses before you can predict some and I presume most apps do not leak
addresses) it would seem unnecessarily 
weak to me because using a better algorithm is not very costly.
Also it might be a problem for some of the other potential users.

cryptographically strong RNGs are especially designed to make this
reverse engineering of the state hard. 

Simple ones can be just a cryptographic hash + counter + secret or
the same with a encryption algorithm like AES, but there are 
also algorithms who are especially designed for this like yarrow/fortuna

See
http://en.wikipedia.org/wiki/Cryptographically_secure_pseudo-random_number_generator

-Andi

-- 
ak@linux.intel.com

  reply	other threads:[~2008-10-06 23:25 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20081001201116.GD12527@outflux.net>
     [not found] ` <48E3EFD6.2010704@redhat.com>
     [not found]   ` <20081001215657.GH12527@outflux.net>
     [not found]     ` <20081001220948.GC32107@sunsite.ms.mff.cuni.cz>
     [not found]       ` <20081001222706.68E7E1544B4@magilla.localdomain>
2008-10-03  0:16         ` [PATCH] ELF: implement AT_RANDOM for future glibc use Kees Cook
2008-10-03  0:43           ` Jakub Jelinek
2008-10-03  5:25             ` Kees Cook
2008-10-03  5:29             ` Kees Cook
2008-10-03  5:57               ` Arjan van de Ven
2008-10-03  6:25                 ` Ulrich Drepper
2008-10-03 14:50                   ` [PATCH] ELF: implement AT_RANDOM for glibc PRNG seeding Kees Cook
2008-10-03 14:56                     ` Ulrich Drepper
2008-10-03 14:57                     ` Jakub Jelinek
2008-10-03 17:33                       ` Kees Cook
2008-10-03 17:41                         ` Ulrich Drepper
2008-10-03 17:59                           ` [PATCH v5] " Kees Cook
2008-10-18  5:42                             ` Ulrich Drepper
2008-10-21 20:01                             ` Andrew Morton
2008-10-21 20:22                               ` Ulrich Drepper
2008-10-27  5:46                                 ` Andrew Morton
2008-10-03  0:52           ` [PATCH] ELF: implement AT_RANDOM for future glibc use Roland McGrath
2008-10-03  5:15             ` Kees Cook
2008-10-03 20:22               ` Roland McGrath
2008-10-06  6:00           ` Andi Kleen
2008-10-06 17:50             ` Kees Cook
2008-10-06 18:25               ` David Wagner
2008-10-06 20:23                 ` Andi Kleen
2008-10-06 22:16                   ` David Wagner
2008-10-06 19:26               ` Andi Kleen
2008-10-06 22:01                 ` Kees Cook
2008-10-06 23:19                   ` Andi Kleen
2008-10-06 23:29                     ` Kees Cook
2008-10-06 23:44                       ` Andi Kleen
2008-10-06 22:07                 ` Kees Cook
2008-10-06 23:28                   ` Andi Kleen [this message]
2008-10-06 23:58                   ` Roland McGrath
2008-10-07  0:08                     ` Ulrich Drepper
2008-10-07  0:31                     ` Kees Cook
2008-10-07  0:57                       ` Ulrich Drepper
2008-10-07  1:44                         ` Kees Cook
2008-10-07  1:51                           ` Ulrich Drepper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081006232810.GP3180@one.firstfloor.org \
    --to=andi@firstfloor.org \
    --cc=drepper@redhat.com \
    --cc=jakub@redhat.com \
    --cc=kees.cook@canonical.com \
    --cc=libc-alpha@sourceware.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=roland@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).