[PATCH] proc: avoid information leaks to non-privileged processes

[PATCH] proc: avoid information leaks to non-privileged processes

[Jake Edge]

This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
wchan to non-privileged processes", adding some of Eric Biederman's
suggestions as well as the start_stack change (only give out that
address if the process is ptrace()-able).  This has been tested with ps
and top without any ill effects being seen.

proc: avoid information leaks to non-privileged processes

By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.

ASLR can be bypassed by sampling eip as shown by the proof-of-concept code
at http://code.google.com/p/fuzzyaslr/  As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were also
noted as possibly usable information leaks as well.  The start_stack address
also leaks potentially useful information.

Cc: Stable Team <stable@kernel.org>
Signed-off-by: Jake Edge <jake@lwn.net>
---
 fs/proc/array.c |   13 +++++++++----
 fs/proc/base.c  |    5 ++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 7e4877d..725a650 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -80,6 +80,7 @@
 #include <linux/delayacct.h>
 #include <linux/seq_file.h>
 #include <linux/pid_namespace.h>
+#include <linux/ptrace.h>
 #include <linux/tracehook.h>
 
 #include <asm/pgtable.h>
@@ -352,6 +353,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
 	char state;
 	pid_t ppid = 0, pgid = -1, sid = -1;
 	int num_threads = 0;
+	int permitted;
 	struct mm_struct *mm;
 	unsigned long long start_time;
 	unsigned long cmin_flt = 0, cmaj_flt = 0;
@@ -364,11 +366,14 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
 
 	state = *get_task_state(task);
 	vsize = eip = esp = 0;
+	permitted = ptrace_may_access(task, PTRACE_MODE_READ);
 	mm = get_task_mm(task);
 	if (mm) {
 		vsize = task_vsize(mm);
-		eip = KSTK_EIP(task);
-		esp = KSTK_ESP(task);
+		if (permitted) {
+			eip = KSTK_EIP(task);
+			esp = KSTK_ESP(task);
+		}
 	}
 
 	get_task_comm(tcomm, task);
@@ -424,7 +429,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
 		unlock_task_sighand(task, &flags);
 	}
 
-	if (!whole || num_threads < 2)
+	if (permitted && (!whole || num_threads < 2))
 		wchan = get_wchan(task);
 	if (!whole) {
 		min_flt = task->min_flt;
@@ -476,7 +481,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
 		rsslim,
 		mm ? mm->start_code : 0,
 		mm ? mm->end_code : 0,
-		mm ? mm->start_stack : 0,
+		(permitted && mm) ? mm->start_stack : 0,
 		esp,
 		eip,
 		/* The signal information here is obsolete.
diff --git a/fs/proc/base.c b/fs/proc/base.c
index aa763ab..fb45615 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -322,7 +322,10 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
 	wchan = get_wchan(task);
 
 	if (lookup_symbol_name(wchan, symname) < 0)
-		return sprintf(buffer, "%lu", wchan);
+		if (!ptrace_may_access(task, PTRACE_MODE_READ))
+			return 0;
+		else
+			return sprintf(buffer, "%lu", wchan);
 	else
 		return sprintf(buffer, "%s", symname);
 }
-- 
1.6.2.2


-- 
Jake Edge - LWN - jake@lwn.net - http://lwn.net

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Mon, 4 May 2009, Jake Edge wrote:
>
> This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
> wchan to non-privileged processes", adding some of Eric Biederman's
> suggestions as well as the start_stack change (only give out that
> address if the process is ptrace()-able).  This has been tested with ps
> and top without any ill effects being seen.

Looks sane to me. Anybody objects?

		Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Arjan van de Ven]

On Mon, 4 May 2009 12:00:12 -0700 (PDT)
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> 
> 
> On Mon, 4 May 2009, Jake Edge wrote:
> >
> > This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
> > wchan to non-privileged processes", adding some of Eric Biederman's
> > suggestions as well as the start_stack change (only give out that
> > address if the process is ptrace()-able).  This has been tested
> > with ps and top without any ill effects being seen.
> 
> Looks sane to me. Anybody objects?
> 

Acked-by: Arjan van de Ven <arjan@linux.intel.com>

-- 
Arjan van de Ven 	Intel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Eric W. Biederman]

Arjan van de Ven <arjan@infradead.org> writes:

> On Mon, 4 May 2009 12:00:12 -0700 (PDT)
> Linus Torvalds <torvalds@linux-foundation.org> wrote:
>
>> 
>> 
>> On Mon, 4 May 2009, Jake Edge wrote:
>> >
>> > This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
>> > wchan to non-privileged processes", adding some of Eric Biederman's
>> > suggestions as well as the start_stack change (only give out that
>> > address if the process is ptrace()-able).  This has been tested
>> > with ps and top without any ill effects being seen.
>> 
>> Looks sane to me. Anybody objects?
>> 
>
> Acked-by: Arjan van de Ven <arjan@linux.intel.com>

Looks sane here.

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

Eric

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Mon, 4 May 2009, Eric W. Biederman wrote:

> Arjan van de Ven <arjan@infradead.org> writes:
> 
> > On Mon, 4 May 2009 12:00:12 -0700 (PDT)
> > Linus Torvalds <torvalds@linux-foundation.org> wrote:
> >
> >> 
> >> 
> >> On Mon, 4 May 2009, Jake Edge wrote:
> >> >
> >> > This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
> >> > wchan to non-privileged processes", adding some of Eric Biederman's
> >> > suggestions as well as the start_stack change (only give out that
> >> > address if the process is ptrace()-able).  This has been tested
> >> > with ps and top without any ill effects being seen.
> >> 
> >> Looks sane to me. Anybody objects?
> >> 
> >
> > Acked-by: Arjan van de Ven <arjan@linux.intel.com>
> 
> Looks sane here.
> 
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

Ok, applied.

Also, does anybody have any commentary or opinion on the patch by Matt 
Mackall to use stronger random numbers than "get_random_int()". I wonder 
what the performance impact of that is - "get_random_int()" is very cheap 
by design, and many users may consider calling "get_random_bytes()" to be 
overkill and a potential performance issue.

Quite frankly, the way "get_random_bytes()" works now (it does a _full_ 
sha thing every time), I think it's insane overkill. But I do have to 
admit that our current "get_random_int()" is insane _underkill_.

I'd like to improve the latter without going to quie the extreme that 
matt's patch did.

		Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Arjan van de Ven]

On Mon, 4 May 2009 15:24:15 -0700 (PDT)
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> 
> 
> On Mon, 4 May 2009, Eric W. Biederman wrote:
> 
> > Arjan van de Ven <arjan@infradead.org> writes:
> > 
> > > On Mon, 4 May 2009 12:00:12 -0700 (PDT)
> > > Linus Torvalds <torvalds@linux-foundation.org> wrote:
> > >
> > >> 
> > >> 
> > >> On Mon, 4 May 2009, Jake Edge wrote:
> > >> >
> > >> > This is essentially v2 of "[PATCH] proc: avoid leaking eip,
> > >> > esp, or wchan to non-privileged processes", adding some of
> > >> > Eric Biederman's suggestions as well as the start_stack change
> > >> > (only give out that address if the process is ptrace()-able).
> > >> > This has been tested with ps and top without any ill effects
> > >> > being seen.
> > >> 
> > >> Looks sane to me. Anybody objects?
> > >> 
> > >
> > > Acked-by: Arjan van de Ven <arjan@linux.intel.com>
> > 
> > Looks sane here.
> > 
> > Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
> 
> Ok, applied.
> 
> Also, does anybody have any commentary or opinion on the patch by
> Matt Mackall to use stronger random numbers than "get_random_int()".
> I wonder what the performance impact of that is - "get_random_int()"
> is very cheap by design, and many users may consider calling
> "get_random_bytes()" to be overkill and a potential performance issue.
> 
> Quite frankly, the way "get_random_bytes()" works now (it does a
> _full_ sha thing every time), I think it's insane overkill. But I do
> have to admit that our current "get_random_int()" is insane
> _underkill_.
> 
> I'd like to improve the latter without going to quie the extreme that 
> matt's patch did.

doing something simple as hashing in the tsc will already help;
while some people are nervous about the predictability of the tsc,
in practice there's likely enough bits of unpredictability there
to be worth the very low price of 50 cycles or less....


-- 
Arjan van de Ven 	Intel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Mon, 4 May 2009, Linus Torvalds wrote:
> 
> Quite frankly, the way "get_random_bytes()" works now (it does a _full_ 
> sha thing every time), I think it's insane overkill. But I do have to 
> admit that our current "get_random_int()" is insane _underkill_.

Actually, I don't think "get_random_int()" is underkill per se (it does 
that half md4 transform to try to hide the source of the data), but the 
data itself is simply not modified at all, and the buffers aren't updated 
in between rounds.

In fact "secure_ip_id()" (which it uses) explicityl does that private 
hash[] array so that the mixing that "half_md4_transform()" does do will 
_not_ be saved for the next round - so the next round will always start 
from the same keyptr "secret" state.

I think.

If that wasn't the case, and we actually kept mixing up the end result 
back into the next iteration, I suspect the current "get_random_int()" 
wouldn't be _nearly_ as bad as it is now. 

Or maybe I'm missing some part of the transform, and we do mix the values 
back as we do that "get_random_int()". I just don't see it. And if I'm 
right, then I think _that_ is the real weakness of our current 
get_random_int().

			Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Eric W. Biederman]

Linus Torvalds <torvalds@linux-foundation.org> writes:

> On Mon, 4 May 2009, Linus Torvalds wrote:
>> 
>> Quite frankly, the way "get_random_bytes()" works now (it does a _full_ 
>> sha thing every time), I think it's insane overkill. But I do have to 
>> admit that our current "get_random_int()" is insane _underkill_.
>
> Actually, I don't think "get_random_int()" is underkill per se (it does 
> that half md4 transform to try to hide the source of the data), but the 
> data itself is simply not modified at all, and the buffers aren't updated 
> in between rounds.
>
> In fact "secure_ip_id()" (which it uses) explicityl does that private 
> hash[] array so that the mixing that "half_md4_transform()" does do will 
> _not_ be saved for the next round - so the next round will always start 
> from the same keyptr "secret" state.
>
> I think.
>
> If that wasn't the case, and we actually kept mixing up the end result 
> back into the next iteration, I suspect the current "get_random_int()" 
> wouldn't be _nearly_ as bad as it is now. 
>
> Or maybe I'm missing some part of the transform, and we do mix the values 
> back as we do that "get_random_int()". I just don't see it. And if I'm 
> right, then I think _that_ is the real weakness of our current 
> get_random_int().

Yes, not mixing the result back (which would give us some kind of
pseudo random number generator) is the problem.

secure_ip_id, looks to be a very different kind of thing.  A seed
that is reused periodically.  Ultimately those values do change.

For the state we are mixing back into I expect we want it to be
per cpu so we don't need locks and avoid  cache line ping pongs
when we mix the state back.

I haven't seen Matts patch and couldn't find it when I did a quick
look so I don't have any idea there.

Eric

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Tue, 5 May 2009, Eric W. Biederman wrote:
> 
> Yes, not mixing the result back (which would give us some kind of
> pseudo random number generator) is the problem.

Guys, so how about this?

It's a really simple patch that basically just open-codes the current 
"secure_ip_id()" call, but when open-coding it we now use a _static_ 
hashing area, so that it gets updated every time.

And to make sure somebody can't just start from the same original seed of 
all-zeroes, and then do the "half_md4_transform()" over and over until 
they get the same sequence as the kernel has, each iteration also mixes in 
the same old "current->pid + jiffies" we used - so we should now have a 
regular strong pseudo-number generator, but we also have one that doesn't 
have a single seed.

Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It 
has no real meaning. It could be anything. I just picked the previous 
seed, it's just that now we keep the state in between calls and that will 
feed into the next result, and that should make all the difference.

I made that hash be a per-cpu data just to avoid cache-line ping-pong: 
having multiple CPU's write to the same data would be fine for randomness, 
and add yet another layer of chaos to it, but since get_random_int() is 
supposed to be a fast interface I did it that way instead. I considered 
using "__raw_get_cpu_var()" to avoid any preemption overhead while still 
getting the hash be _mostly_ ping-pong free, but in the end good taste won 
out.

I have _not_ tested this. Somebody obviously should, and I'm not checking 
it in without ack's and somebody testing it.

		Linus
---
 drivers/char/random.c |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index f824ef8..9f8fd5b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1665,15 +1665,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
  * value is not cryptographically secure but for several uses the cost of
  * depleting entropy is too high
  */
+DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
 unsigned int get_random_int(void)
 {
-	/*
-	 * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
-	 * every second, from the entropy pool (and thus creates a limited
-	 * drain on it), and uses halfMD4Transform within the second. We
-	 * also mix it with jiffies and the PID:
-	 */
-	return secure_ip_id((__force __be32)(current->pid + jiffies));
+	struct keydata *keyptr;
+	__u32 *hash = get_cpu_var(get_random_int_hash);
+	int ret;
+
+	keyptr = get_keyptr();
+	hash[0] += current->pid + jiffies;
+
+	ret = half_md4_transform(hash, keyptr->secret);
+	put_cpu_var(get_random_int_hash);
+
+	return ret;
 }
 
 /*

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Tue, 5 May 2009, Linus Torvalds wrote:
> 
> Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It 
> has no real meaning. It could be anything. I just picked the previous 
> seed, it's just that now we keep the state in between calls and that will 
> feed into the next result, and that should make all the difference.

Actually, thinking about it, we could/should probably just remove that 
tiny bit of noise.

After all, we get _real_ noise from the "keyptr->secret" thing. It's not 
updated all the time, but it's certainly updated often enough that nobody 
will ever see anything remotely guessable, I suspect.

Not that the "pid+jiffies" should hurt either, of course. It just doesn't 
really look meaningful, and only exists as a historical oddity that 
relates to the previous implementation of get_random_int().

			Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Tue, May 05, 2009 at 08:35:35AM -0700, Linus Torvalds wrote:
> 
> 
> On Tue, 5 May 2009, Linus Torvalds wrote:
> > 
> > Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It 
> > has no real meaning. It could be anything. I just picked the previous 
> > seed, it's just that now we keep the state in between calls and that will 
> > feed into the next result, and that should make all the difference.
> 
> Actually, thinking about it, we could/should probably just remove that 
> tiny bit of noise.
> 
> After all, we get _real_ noise from the "keyptr->secret" thing. It's not 
> updated all the time, but it's certainly updated often enough that nobody 
> will ever see anything remotely guessable, I suspect.
> 
> Not that the "pid+jiffies" should hurt either, of course. It just doesn't 
> really look meaningful, and only exists as a historical oddity that 
> relates to the previous implementation of get_random_int().

I think it can only do good here. Recursively applied functions are
vulnerable to falling into greatly reduced state spaces (see 'strange
attractors') and adding any old crap can perturb it out of those
spaces. A good hash function should be resistant to this, but MD4 and
half_MD4 are not good hash functions.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Tue, May 05, 2009 at 08:17:43AM -0700, Linus Torvalds wrote:
> 
> 
> On Tue, 5 May 2009, Eric W. Biederman wrote:
> > 
> > Yes, not mixing the result back (which would give us some kind of
> > pseudo random number generator) is the problem.
> 
> Guys, so how about this?
> 
> It's a really simple patch that basically just open-codes the current 
> "secure_ip_id()" call, but when open-coding it we now use a _static_ 
> hashing area, so that it gets updated every time.
> 
> And to make sure somebody can't just start from the same original seed of 
> all-zeroes, and then do the "half_md4_transform()" over and over until 
> they get the same sequence as the kernel has, each iteration also mixes in 
> the same old "current->pid + jiffies" we used - so we should now have a 
> regular strong pseudo-number generator, but we also have one that doesn't 
> have a single seed.
> 
> Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It 
> has no real meaning. It could be anything. I just picked the previous 
> seed, it's just that now we keep the state in between calls and that will 
> feed into the next result, and that should make all the difference.
> 
> I made that hash be a per-cpu data just to avoid cache-line ping-pong: 
> having multiple CPU's write to the same data would be fine for randomness, 
> and add yet another layer of chaos to it, but since get_random_int() is 
> supposed to be a fast interface I did it that way instead. I considered 
> using "__raw_get_cpu_var()" to avoid any preemption overhead while still 
> getting the hash be _mostly_ ping-pong free, but in the end good taste won 
> out.

It's an ok model, but I'd be much happier if we used a decent
hash function. I'm not a cryptanalyst, so I can't rattle off all the
known attacks against this hash function, but it can no longer be
considered any kind of cryptographic primitive. I would not be at all
surprised if it was possible to recover the entire secret state by
observing some small set of RNG outputs and then use that to backtrack
the RNG to reveal the layout of a recently launched process.

(Sending off a couple queries to some folks who are good at breaking
such things to confirm my hunches.)

Also, the current function name must go. It is seriously misleading.
get_random_u32 please.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Mon, May 04, 2009 at 03:24:15PM -0700, Linus Torvalds wrote:
> 
> 
> On Mon, 4 May 2009, Eric W. Biederman wrote:
> 
> > Arjan van de Ven <arjan@infradead.org> writes:
> > 
> > > On Mon, 4 May 2009 12:00:12 -0700 (PDT)
> > > Linus Torvalds <torvalds@linux-foundation.org> wrote:
> > >
> > >> 
> > >> 
> > >> On Mon, 4 May 2009, Jake Edge wrote:
> > >> >
> > >> > This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or
> > >> > wchan to non-privileged processes", adding some of Eric Biederman's
> > >> > suggestions as well as the start_stack change (only give out that
> > >> > address if the process is ptrace()-able).  This has been tested
> > >> > with ps and top without any ill effects being seen.
> > >> 
> > >> Looks sane to me. Anybody objects?
> > >> 
> > >
> > > Acked-by: Arjan van de Ven <arjan@linux.intel.com>
> > 
> > Looks sane here.
> > 
> > Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
> 
> Ok, applied.
> 
> Also, does anybody have any commentary or opinion on the patch by Matt 
> Mackall to use stronger random numbers than "get_random_int()". I wonder 
> what the performance impact of that is - "get_random_int()" is very cheap 
> by design, and many users may consider calling "get_random_bytes()" to be 
> overkill and a potential performance issue.
> 
> Quite frankly, the way "get_random_bytes()" works now (it does a _full_ 
> sha thing every time), I think it's insane overkill. But I do have to 
> admit that our current "get_random_int()" is insane _underkill_.
> 
> I'd like to improve the latter without going to quie the extreme that 
> matt's patch did.

ASLR aside, get_random_u32 is the right interface (strong,
well-defined type) for random.c to export and get_random_int (weak,
ambiguous type) is the wrong one.

As to what's the appropriate sort of RNG for ASLR to use, finding a
balance between too strong and too weak is tricky. I'd rather move
things to a known safe point and back it off to acceptable performance
from there if anyone complains. So let's do my patch now.

Looking forward:

A faster-but-weakened RNG for ASLR (and similar purposes) will still
need to be strong in the cryptographic sense. Which probably means
having secret state (per cpu?) that changes at every call via a strong
cipher or hash (though lighter than the full RNG). Alternately, we use
a weak primitive (eg halfmd4) with per-task secrets. Not really keen
on the latter as a user may expose outputs across task boundaries that
allow backtracking attacks against the ASLR. In other words, the
latter requires disciplined users, while the former doesn't.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> As to what's the appropriate sort of RNG for ASLR to use, finding 
> a balance between too strong and too weak is tricky. [...]

In exec-shield i mixed 'easily accessible and fast' semi-random 
state to the get_random_int() result: xor-ed the cycle counter, the 
pid and a kernel address to it. That strengthened the result in a 
pretty practical way (without strengthening the theoretical 
randomless - each of those items are considered guessable) and does 
so without weakening the entropy of the random pool.

As usual, it got objected to and removed during upstream review so 
the upstream code stands on a single foot only - which is an 
obviously bad idea.

The thing is, it's very hard to argue for (and prove) security 
related complexity on an objective basis. ASLR was met with quite 
some upstream hostility, so it did not really get merged upstream, 
it barely managed to limp upstream.

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Eric W. Biederman]

Ingo Molnar <mingo@elte.hu> writes:

> * Matt Mackall <mpm@selenic.com> wrote:
>
>> As to what's the appropriate sort of RNG for ASLR to use, finding 
>> a balance between too strong and too weak is tricky. [...]
>
> In exec-shield i mixed 'easily accessible and fast' semi-random 
> state to the get_random_int() result: xor-ed the cycle counter, the 
> pid and a kernel address to it. That strengthened the result in a 
> pretty practical way (without strengthening the theoretical 
> randomless - each of those items are considered guessable) and does 
> so without weakening the entropy of the random pool.

The trouble is, that thinking completely misses the problem, and I
expect that is why we have a problem.  Throwing a bunch of possibly
truly random values into the pot for luck is nice.  But you didn't
throw in a pseudo random number generator.  An unpredictable sequence
that is guaranteed to change from one invocation to the next.

In a very practical sense a pseudo random generator is completely
sufficient.  Throwing in a few truly random numbers guards against
attacks on the random number generator.

What we have now is a hash over an a value that changes every 5 minutes
and some well known values.

Eric

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Eric W. Biederman <ebiederm@xmission.com> wrote:

> Ingo Molnar <mingo@elte.hu> writes:
> 
> > * Matt Mackall <mpm@selenic.com> wrote:
> >
> >> As to what's the appropriate sort of RNG for ASLR to use, finding 
> >> a balance between too strong and too weak is tricky. [...]
> >
> > In exec-shield i mixed 'easily accessible and fast' semi-random 
> > state to the get_random_int() result: xor-ed the cycle counter, the 
> > pid and a kernel address to it. That strengthened the result in a 
> > pretty practical way (without strengthening the theoretical 
> > randomless - each of those items are considered guessable) and does 
> > so without weakening the entropy of the random pool.
> 
> The trouble is, that thinking completely misses the problem, and I 
> expect that is why we have a problem.  Throwing a bunch of 
> possibly truly random values into the pot for luck is nice.  But 
> you didn't throw in a pseudo random number generator.  An 
> unpredictable sequence that is guaranteed to change from one 
> invocation to the next.

Alas, i did - it got 'reviewed' out of existence ;)

I still have the backups, here's the original exec-shield RNG:

+/*
+ * Get a random word:
+ */
+static inline unsigned int get_random_int(void)
+{
+       unsigned int val = 0;
+
+       if (!exec_shield_randomize)
+               return 0;
+
+#ifdef CONFIG_X86_HAS_TSC
+       rdtscl(val);
+#endif
+       val += current->pid + jiffies + (int)&val;
+
+       /*
+        * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
+        * every second, from the entropy pool (and thus creates a limited
+        * drain on it), and uses halfMD4Transform within the second. We
+        * also spice it with the TSC (if available), jiffies, PID and the
+        * stack address:
+        */
+       return secure_ip_id(val);
+}

I thought that basing it on the networking PRNG is proper design: 
the networking folks have showed it time and again that they care 
about the PRNG not being brute-forceable easily, while still staying 
fast enough.

I added the TSC and a few other pseudo-random details to increase 
complexity of any brute-force attack. (in the hope of rendering it 
less practical, at minimal cost)

> In a very practical sense a pseudo random generator is completely 
> sufficient.  Throwing in a few truly random numbers guards against 
> attacks on the random number generator.
> 
> What we have now is a hash over an a value that changes every 5 
> minutes and some well known values.

Yes.

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Tue, May 05, 2009 at 09:52:46PM +0200, Ingo Molnar wrote:
> 
> * Eric W. Biederman <ebiederm@xmission.com> wrote:
> 
> > Ingo Molnar <mingo@elte.hu> writes:
> > 
> > > * Matt Mackall <mpm@selenic.com> wrote:
> > >
> > >> As to what's the appropriate sort of RNG for ASLR to use, finding 
> > >> a balance between too strong and too weak is tricky. [...]
> > >
> > > In exec-shield i mixed 'easily accessible and fast' semi-random 
> > > state to the get_random_int() result: xor-ed the cycle counter, the 
> > > pid and a kernel address to it. That strengthened the result in a 
> > > pretty practical way (without strengthening the theoretical 
> > > randomless - each of those items are considered guessable) and does 
> > > so without weakening the entropy of the random pool.
> > 
> > The trouble is, that thinking completely misses the problem, and I 
> > expect that is why we have a problem.  Throwing a bunch of 
> > possibly truly random values into the pot for luck is nice.  But 
> > you didn't throw in a pseudo random number generator.  An 
> > unpredictable sequence that is guaranteed to change from one 
> > invocation to the next.
> 
> Alas, i did - it got 'reviewed' out of existence ;)
> 
> I still have the backups, here's the original exec-shield RNG:
> 
> +/*
> + * Get a random word:
> + */
> +static inline unsigned int get_random_int(void)
> +{
> +       unsigned int val = 0;
> +
> +       if (!exec_shield_randomize)
> +               return 0;
> +
> +#ifdef CONFIG_X86_HAS_TSC
> +       rdtscl(val);
> +#endif
> +       val += current->pid + jiffies + (int)&val;
> +
> +       /*
> +        * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
> +        * every second, from the entropy pool (and thus creates a limited
> +        * drain on it), and uses halfMD4Transform within the second. We
> +        * also spice it with the TSC (if available), jiffies, PID and the
> +        * stack address:
> +        */
> +       return secure_ip_id(val);
> +}

Ingo, what are you on about? On every architecture but X86 with TSC
this is identical to the broken code.

TSC only helps matters slightly - the timescales involved in process
creation are very short and we can probably brute-force attack it with
a useful probability of success. ie:

a) record TSC
b) fork target process
c) record TSC
d) guess TSC value 
e) attempt attack
f) repeat

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Eric W. Biederman]

Matt Mackall <mpm@selenic.com> writes:

> On Tue, May 05, 2009 at 09:52:46PM +0200, Ingo Molnar wrote:
>> 
>> * Eric W. Biederman <ebiederm@xmission.com> wrote:
>> 
>> > Ingo Molnar <mingo@elte.hu> writes:
>> > 
>> > > * Matt Mackall <mpm@selenic.com> wrote:
>> > >
>> > >> As to what's the appropriate sort of RNG for ASLR to use, finding 
>> > >> a balance between too strong and too weak is tricky. [...]
>> > >
>> > > In exec-shield i mixed 'easily accessible and fast' semi-random 
>> > > state to the get_random_int() result: xor-ed the cycle counter, the 
>> > > pid and a kernel address to it. That strengthened the result in a 
>> > > pretty practical way (without strengthening the theoretical 
>> > > randomless - each of those items are considered guessable) and does 
>> > > so without weakening the entropy of the random pool.
>> > 
>> > The trouble is, that thinking completely misses the problem, and I 
>> > expect that is why we have a problem.  Throwing a bunch of 
>> > possibly truly random values into the pot for luck is nice.  But 
>> > you didn't throw in a pseudo random number generator.  An 
>> > unpredictable sequence that is guaranteed to change from one 
>> > invocation to the next.
>> 
>> Alas, i did - it got 'reviewed' out of existence ;)
>> 
>> I still have the backups, here's the original exec-shield RNG:
>> 
>> +/*
>> + * Get a random word:
>> + */
>> +static inline unsigned int get_random_int(void)
>> +{
>> +       unsigned int val = 0;
>> +
>> +       if (!exec_shield_randomize)
>> +               return 0;
>> +
>> +#ifdef CONFIG_X86_HAS_TSC
>> +       rdtscl(val);
>> +#endif
>> +       val += current->pid + jiffies + (int)&val;
>> +
>> +       /*
>> +        * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
>> +        * every second, from the entropy pool (and thus creates a limited
>> +        * drain on it), and uses halfMD4Transform within the second. We
>> +        * also spice it with the TSC (if available), jiffies, PID and the
>> +        * stack address:
>> +        */
>> +       return secure_ip_id(val);
>> +}
>
> Ingo, what are you on about? On every architecture but X86 with TSC
> this is identical to the broken code.

Well it has the val = (int)&val bit. 

However you are quite right the original get_random_int does not have
any state that persists from one call to the next.  Ingo you failed to
copy that from the way ip uses secure_ip_id.

Which ultimately means get_random_int has never had a pseudo random
number generator in it.

Eric

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Eric W. Biederman <ebiederm@xmission.com> wrote:

> Matt Mackall <mpm@selenic.com> writes:
> 
> > On Tue, May 05, 2009 at 09:52:46PM +0200, Ingo Molnar wrote:
> >> 
> >> * Eric W. Biederman <ebiederm@xmission.com> wrote:
> >> 
> >> > Ingo Molnar <mingo@elte.hu> writes:
> >> > 
> >> > > * Matt Mackall <mpm@selenic.com> wrote:
> >> > >
> >> > >> As to what's the appropriate sort of RNG for ASLR to use, finding 
> >> > >> a balance between too strong and too weak is tricky. [...]
> >> > >
> >> > > In exec-shield i mixed 'easily accessible and fast' semi-random 
> >> > > state to the get_random_int() result: xor-ed the cycle counter, the 
> >> > > pid and a kernel address to it. That strengthened the result in a 
> >> > > pretty practical way (without strengthening the theoretical 
> >> > > randomless - each of those items are considered guessable) and does 
> >> > > so without weakening the entropy of the random pool.
> >> > 
> >> > The trouble is, that thinking completely misses the problem, and I 
> >> > expect that is why we have a problem.  Throwing a bunch of 
> >> > possibly truly random values into the pot for luck is nice.  But 
> >> > you didn't throw in a pseudo random number generator.  An 
> >> > unpredictable sequence that is guaranteed to change from one 
> >> > invocation to the next.
> >> 
> >> Alas, i did - it got 'reviewed' out of existence ;)
> >> 
> >> I still have the backups, here's the original exec-shield RNG:
> >> 
> >> +/*
> >> + * Get a random word:
> >> + */
> >> +static inline unsigned int get_random_int(void)
> >> +{
> >> +       unsigned int val = 0;
> >> +
> >> +       if (!exec_shield_randomize)
> >> +               return 0;
> >> +
> >> +#ifdef CONFIG_X86_HAS_TSC
> >> +       rdtscl(val);
> >> +#endif
> >> +       val += current->pid + jiffies + (int)&val;
> >> +
> >> +       /*
> >> +        * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
> >> +        * every second, from the entropy pool (and thus creates a limited
> >> +        * drain on it), and uses halfMD4Transform within the second. We
> >> +        * also spice it with the TSC (if available), jiffies, PID and the
> >> +        * stack address:
> >> +        */
> >> +       return secure_ip_id(val);
> >> +}
> >
> > Ingo, what are you on about? On every architecture but X86 with TSC
> > this is identical to the broken code.
> 
> Well it has the val = (int)&val bit. 
> 
> However you are quite right the original get_random_int does not 
> have any state that persists from one call to the next.  Ingo you 
> failed to copy that from the way ip uses secure_ip_id.
> 
> Which ultimately means get_random_int has never had a pseudo 
> random number generator in it.

Indeed, good point. But, practical randomness was still saved by the 
other layers. Which what it is really about: adding different 
sources of semi-random values really increases attack complexity, 
and is cheap.

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> On Tue, May 05, 2009 at 09:52:46PM +0200, Ingo Molnar wrote:
> > 
> > * Eric W. Biederman <ebiederm@xmission.com> wrote:
> > 
> > > Ingo Molnar <mingo@elte.hu> writes:
> > > 
> > > > * Matt Mackall <mpm@selenic.com> wrote:
> > > >
> > > >> As to what's the appropriate sort of RNG for ASLR to use, finding 
> > > >> a balance between too strong and too weak is tricky. [...]
> > > >
> > > > In exec-shield i mixed 'easily accessible and fast' semi-random 
> > > > state to the get_random_int() result: xor-ed the cycle counter, the 
> > > > pid and a kernel address to it. That strengthened the result in a 
> > > > pretty practical way (without strengthening the theoretical 
> > > > randomless - each of those items are considered guessable) and does 
> > > > so without weakening the entropy of the random pool.
> > > 
> > > The trouble is, that thinking completely misses the problem, and I 
> > > expect that is why we have a problem.  Throwing a bunch of 
> > > possibly truly random values into the pot for luck is nice.  But 
> > > you didn't throw in a pseudo random number generator.  An 
> > > unpredictable sequence that is guaranteed to change from one 
> > > invocation to the next.
> > 
> > Alas, i did - it got 'reviewed' out of existence ;)
> > 
> > I still have the backups, here's the original exec-shield RNG:
> > 
> > +/*
> > + * Get a random word:
> > + */
> > +static inline unsigned int get_random_int(void)
> > +{
> > +       unsigned int val = 0;
> > +
> > +       if (!exec_shield_randomize)
> > +               return 0;
> > +
> > +#ifdef CONFIG_X86_HAS_TSC
> > +       rdtscl(val);
> > +#endif
> > +       val += current->pid + jiffies + (int)&val;
> > +
> > +       /*
> > +        * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
> > +        * every second, from the entropy pool (and thus creates a limited
> > +        * drain on it), and uses halfMD4Transform within the second. We
> > +        * also spice it with the TSC (if available), jiffies, PID and the
> > +        * stack address:
> > +        */
> > +       return secure_ip_id(val);
> > +}
> 
> Ingo, what are you on about? On every architecture but X86 with 
> TSC this is identical to the broken code.

Note that this was the exec-shield arch/*86/mm/mmap.c code.

(Also, obviously "only" covering 95% of the Linux systems has its 
use as well. Most other architectures have their own cycle counters 
as well.)

> TSC only helps matters slightly - the timescales involved in 
> process creation are very short and we can probably brute-force 
> attack it with a useful probability of success. ie:
> 
> a) record TSC
> b) fork target process
> c) record TSC
> d) guess TSC value 
> e) attempt attack
> f) repeat

Try that one day and see how much jitter there is in that sequence, 
even on a completely quiescent system.

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
> (Also, obviously "only" covering 95% of the Linux systems has its 
> use as well. Most other architectures have their own cycle counters 
> as well.)

X86 might be 95% of desktop. But it's a small fraction of Linux
systems once you count cell phones, video players, TVs, cameras, GPS
devices, cars, routers, etc. almost none of which are x86-based. In
fact, just Linux cell phones (with about an 8% share of a 1.2billion
devices per year market) dwarf Linux desktops (maybe 5% of a
200m/y market).

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Wed, 6 May 2009, Matt Mackall wrote:

> On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
> > (Also, obviously "only" covering 95% of the Linux systems has its 
> > use as well. Most other architectures have their own cycle counters 
> > as well.)
> 
> X86 might be 95% of desktop. But it's a small fraction of Linux
> systems once you count cell phones, video players, TVs, cameras, GPS
> devices, cars, routers, etc. almost none of which are x86-based. In
> fact, just Linux cell phones (with about an 8% share of a 1.2billion
> devices per year market) dwarf Linux desktops (maybe 5% of a
> 200m/y market).

Matt, are you willing to ack my suggested patch which adds history to the 
mix? Did somebody test that? I have this memory of there being an 
"exploit" program to show the non-randomness of the values, but I can't 
recall details, and would really want to get a second opinion from 
somebody who cares about PRNG's.

			Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> 
> Matt, are you willing to ack my suggested patch which adds history to the 
> mix? Did somebody test that? I have this memory of there being an 
> "exploit" program to show the non-randomness of the values, but I can't 
> recall details, and would really want to get a second opinion from 
> somebody who cares about PRNG's.

I still don't like it. I bounced it off some folks on the adversarial
side of things and they didn't think it looked strong enough either.
Full MD5 collisions can be generated about as fast as they can be
checked, which makes _reduced strength_ MD4 not much better than an
LFSR in terms of attack potential. So I suggest we either:

a) take my original patch 
b) respin your patch using at least SHA1 rather than halfMD4 and
changing the name to get_random_u32

If you'd prefer (b), I'll do the legwork.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Wed, May 06, 2009 at 12:57:17PM -0500, Matt Mackall wrote:
> On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> > 
> > Matt, are you willing to ack my suggested patch which adds history to the 
> > mix? Did somebody test that? I have this memory of there being an 
> > "exploit" program to show the non-randomness of the values, but I can't 
> > recall details, and would really want to get a second opinion from 
> > somebody who cares about PRNG's.
> 
> I still don't like it. I bounced it off some folks on the adversarial
> side of things and they didn't think it looked strong enough either.
> Full MD5 collisions can be generated about as fast as they can be
> checked, which makes _reduced strength_ MD4 not much better than an
> LFSR in terms of attack potential. So I suggest we either:
> 
> a) take my original patch 
> b) respin your patch using at least SHA1 rather than halfMD4 and
> changing the name to get_random_u32
> 
> If you'd prefer (b), I'll do the legwork.

I've done some basic benchmarks on the primitives here in userspace:

halfMD4 get_random_int: about .326us per call or 12.2MB/s
sha1 get_random_int: about .660us per call or 6.1MB/s
dd /dev/urandom: 3.6MB/s

So I think the SHA1 solution is quite competitive on the performance
front with far fewer concerns about its strength. I'll spin a proper
patch tomorrow.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> On Wed, May 06, 2009 at 12:57:17PM -0500, Matt Mackall wrote:
> > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> > > 
> > > Matt, are you willing to ack my suggested patch which adds history to the 
> > > mix? Did somebody test that? I have this memory of there being an 
> > > "exploit" program to show the non-randomness of the values, but I can't 
> > > recall details, and would really want to get a second opinion from 
> > > somebody who cares about PRNG's.
> > 
> > I still don't like it. I bounced it off some folks on the adversarial
> > side of things and they didn't think it looked strong enough either.
> > Full MD5 collisions can be generated about as fast as they can be
> > checked, which makes _reduced strength_ MD4 not much better than an
> > LFSR in terms of attack potential. So I suggest we either:
> > 
> > a) take my original patch 
> > b) respin your patch using at least SHA1 rather than halfMD4 and
> > changing the name to get_random_u32
> > 
> > If you'd prefer (b), I'll do the legwork.
> 
> I've done some basic benchmarks on the primitives here in userspace:
> 
> halfMD4 get_random_int: about .326us per call or 12.2MB/s
> sha1 get_random_int: about .660us per call or 6.1MB/s
> dd /dev/urandom: 3.6MB/s
> 
> So I think the SHA1 solution is quite competitive on the 
> performance front with far fewer concerns about its strength. I'll 
> spin a proper patch tomorrow.

Hm, i'm not happy about that at all - that's like a ~2000 cycles 
cost, probably fully cached! Do you have cache-cold numbers as well?

We have:

 aldebaran:~/l> ./lat_proc fork
 Process fork+exit: 61.7865 microseconds

So what you are talking about is about 1% of our fork performance! 
And fork is a pretty fat operation - it could be much worse for 
something ligther.

As i mentioned it in the previous mail, i'd _really_ like to hear 
your thread model and attack vector description. Does this overhead 
justify the threat? Your change will only result in get_random_int() 
not being considered fast anymore.

So unless a strong reason to do otherwise, i'd really prefer Linus's 
modified patch, the one i tested and sent out yesterday. (attached 
below again)

	Ingo

----- Forwarded message from Ingo Molnar <mingo@elte.hu> -----

Date: Wed, 6 May 2009 22:09:54 +0200
From: Ingo Molnar <mingo@elte.hu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Subject: [patch] random: make get_random_int() more random
Cc: Matt Mackall <mpm@selenic.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Arjan van de Ven <arjan@infradead.org>, Jake Edge <jake@lwn.net>,
	security@kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	James Morris <jmorris@namei.org>,
	linux-security-module@vger.kernel.org,
	Eric Paris <eparis@redhat.com>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Roland McGrath <roland@redhat.com>, mingo@redhat.com,
	Andrew Morton <akpm@linux-foundation.org>, Greg KH <greg@kroah.com>,
	Dave Jones <davej@redhat.com>


* Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Wed, 6 May 2009, Matt Mackall wrote:
> 
> > On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
>
> > > (Also, obviously "only" covering 95% of the Linux systems has 
> > > its use as well. Most other architectures have their own cycle 
> > > counters as well.)
> > 
> > X86 might be 95% of desktop. But it's a small fraction of Linux 
> > systems once you count cell phones, video players, TVs, cameras, 
> > GPS devices, cars, routers, etc. almost none of which are 
> > x86-based. In fact, just Linux cell phones (with about an 8% 
> > share of a 1.2billion devices per year market) dwarf Linux 
> > desktops (maybe 5% of a 200m/y market).
> 
> Matt, are you willing to ack my suggested patch which adds history 
> to the mix? Did somebody test that? I have this memory of there 
> being an "exploit" program to show the non-randomness of the 
> values, but I can't recall details, and would really want to get a 
> second opinion from somebody who cares about PRNG's.

I tested it, and besides booting up fine, i also tested the 
get_random_int() randomness. I did this by adding this quick 
trace_printk() line:

   trace_printk("get_random_int(): %08x\n", get_random_int());

to sys_prctl() and triggered sys_prctl() in a loop, which gave a 
list of get_random_int() numbers:

# tracer: nop
#
#           TASK-PID    CPU#    TIMESTAMP  FUNCTION
#              | |	 |          |         |
           <...>-6288  [000]   618.151323: sys_prctl: get_random_int(): 2e927f66
           <...>-6290  [000]   618.152924: sys_prctl: get_random_int(): d210df1f
           <...>-6293  [000]   618.155326: sys_prctl: get_random_int(): 753ad860
           <...>-6295  [000]   618.156939: sys_prctl: get_random_int(): c74d935f
           <...>-6298  [000]   618.159334: sys_prctl: get_random_int(): bb4e7597
           <...>-6300  [000]   618.160936: sys_prctl: get_random_int(): b0119885
           <...>-6303  [000]   618.163331: sys_prctl: get_random_int(): 093f5c70

Full list attached.

I then wrote a quick script to write those numbers out into a 
continous binary file (result also attached).

I then ran the FIPS randomness test over the first 20,000 bits [2.5K 
data], which it passed:

rngtest: bits received from input: 20064
rngtest: bits sent to output: 20000
rngtest: FIPS 140-2 successes: 1
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.104; avg=3.104; max=3.104)Gibits/s
rngtest: FIPS tests speed: (min=110.892; avg=110.892; max=110.892)Mibits/s
rngtest: output channel speed: (min=544.957; avg=544.957; max=544.957)Mibits/s
rngtest: Program run time: 294 microseconds

So it looks good enough - that's a sample of 800+ pseudo-random 
integers.

I also modified your patch to include two more random sources, 
get_cycles() [which all 22 architectures define - albeit not all 
have the hw to actually do fine-grained cycle counts - so for some 
it's always-zero or a low-res return value], plus a kernel stack 
address.

The relevant line is:

+	hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;

The argument is that the more layers we have here, the harder it 
becomes to _reliably_ attack a given system. Works-100%-sure is an 
important prize for certain types of attackers - and with the cycle 
counter, jiffies, PID and a kernel address all mixed in that becomes 
quite hard to achieve.

I tested this too - it also results in good random numbers. Find the 
patch below.

	Ingo


--------------->
Subject: random: make get_random_int() more random
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 5 May 2009 08:17:43 -0700 (PDT)

It's a really simple patch that basically just open-codes the current
"secure_ip_id()" call, but when open-coding it we now use a _static_
hashing area, so that it gets updated every time.

And to make sure somebody can't just start from the same original seed of
all-zeroes, and then do the "half_md4_transform()" over and over until
they get the same sequence as the kernel has, each iteration also mixes in
the same old "current->pid + jiffies" we used - so we should now have a
regular strong pseudo-number generator, but we also have one that doesn't
have a single seed.

Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It
has no real meaning. It could be anything. I just picked the previous
seed, it's just that now we keep the state in between calls and that will
feed into the next result, and that should make all the difference.

I made that hash be a per-cpu data just to avoid cache-line ping-pong:
having multiple CPU's write to the same data would be fine for randomness,
and add yet another layer of chaos to it, but since get_random_int() is
supposed to be a fast interface I did it that way instead. I considered
using "__raw_get_cpu_var()" to avoid any preemption overhead while still
getting the hash be _mostly_ ping-pong free, but in the end good taste won
out.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 drivers/char/random.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

Index: linux/drivers/char/random.c
===================================================================
--- linux.orig/drivers/char/random.c
+++ linux/drivers/char/random.c
@@ -1665,15 +1665,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe
  * value is not cryptographically secure but for several uses the cost of
  * depleting entropy is too high
  */
+DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
 unsigned int get_random_int(void)
 {
-	/*
-	 * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
-	 * every second, from the entropy pool (and thus creates a limited
-	 * drain on it), and uses halfMD4Transform within the second. We
-	 * also mix it with jiffies and the PID:
-	 */
-	return secure_ip_id((__force __be32)(current->pid + jiffies));
+	struct keydata *keyptr;
+	__u32 *hash = get_cpu_var(get_random_int_hash);
+	int ret;
+
+	keyptr = get_keyptr();
+	hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
+
+	ret = half_md4_transform(hash, keyptr->secret);
+	put_cpu_var(get_random_int_hash);
+
+	return ret;
 }
 
 /*

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Thu, May 07, 2009 at 05:02:31PM +0200, Ingo Molnar wrote:
> 
> * Matt Mackall <mpm@selenic.com> wrote:
> 
> > On Wed, May 06, 2009 at 12:57:17PM -0500, Matt Mackall wrote:
> > > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> > > > 
> > > > Matt, are you willing to ack my suggested patch which adds history to the 
> > > > mix? Did somebody test that? I have this memory of there being an 
> > > > "exploit" program to show the non-randomness of the values, but I can't 
> > > > recall details, and would really want to get a second opinion from 
> > > > somebody who cares about PRNG's.
> > > 
> > > I still don't like it. I bounced it off some folks on the adversarial
> > > side of things and they didn't think it looked strong enough either.
> > > Full MD5 collisions can be generated about as fast as they can be
> > > checked, which makes _reduced strength_ MD4 not much better than an
> > > LFSR in terms of attack potential. So I suggest we either:
> > > 
> > > a) take my original patch 
> > > b) respin your patch using at least SHA1 rather than halfMD4 and
> > > changing the name to get_random_u32
> > > 
> > > If you'd prefer (b), I'll do the legwork.
> > 
> > I've done some basic benchmarks on the primitives here in userspace:
> > 
> > halfMD4 get_random_int: about .326us per call or 12.2MB/s
> > sha1 get_random_int: about .660us per call or 6.1MB/s
> > dd /dev/urandom: 3.6MB/s
> > 
> > So I think the SHA1 solution is quite competitive on the 
> > performance front with far fewer concerns about its strength. I'll 
> > spin a proper patch tomorrow.
> 
> Hm, i'm not happy about that at all - that's like a ~2000 cycles 
> cost, probably fully cached! Do you have cache-cold numbers as well?

No, but you're free to benchmark my forthcoming patch. Given that I
haven't heard of anyone complaining about performance regressions in
exec() from the introduction of ASLR (nor can I find any on Google),
I've assumed doubling the RNG overhead would continue to remain in the
noise.

>  aldebaran:~/l> ./lat_proc fork
>  Process fork+exit: 61.7865 microseconds

Uh, what? There's no exec() involved in fork+exit, so hopefully ASLR
doesn't decide to make an appearance.

> As i mentioned it in the previous mail, i'd _really_ like to hear 
> your thread model and attack vector description. Does this overhead 
> justify the threat? Your change will only result in get_random_int() 
> not being considered fast anymore.

My threat model is that someone more clever and with a lot more
expertise attacking systems than either you or me will be able to
leverage the extreme weakness of this hash (O(1) attacks against the
*full* version!) into an attack that incrementally exposes the hidden
RNG state. I've asked a couple such people whether they think that's
likely, and they've said yes.

In fact, it's been known for over a decade that reduced-round MD4 such
as ours is *not one way* and that preimages (aka our hidden state) can
be found in less than an hour on a *mid-90s era PC*:

http://citeseer.ist.psu.edu/old/182935.html

Combine that with greatly improved techniques for attacking hashes in
the MD4 family in the last five years and you're probably looking at
less than a second of CPU time. Combine that with the fact that we're
using the hash in a feedback mode, and things only get easier.

On the question of 'what if we add in the TSC?', I'd first say (a) we
can't and shouldn't assume a TSC is available, though we certainly
should use it if it is. Second I'd say that there are numerous timing
attacks that have been done that suggest that guessing the TSC can be
done with useful probability. For instance, see the branch prediction
attacks against AES and RSA.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> >  aldebaran:~/l> ./lat_proc fork
> >  Process fork+exit: 61.7865 microseconds
> 
> Uh, what? There's no exec() involved in fork+exit, so hopefully 
> ASLR doesn't decide to make an appearance.

We use it to seed the per task stackprotector secret. Look for 
get_random_int() in kernel/fork.c.

(
  Now, if get_random_int() slows down we could certainly water that 
  down and have a system-wide secret and some easy and fast 
  long-cycle permutation code to make it not so easy to figure out 
  the core secret from a kernel crash signature.

  [ Alas, that might be worth doing in any case - to not have 
    get_random_int() in the clone() / pthread_create() fastpath. ]

  We really need a design decision there - if get_random_int() is 
  supposed to be a mathematically safe hash, ignoring the physics of 
  the world, then we need a separate get_random_int_fast() API or 
  so. All current users of get_random_int() will evaporate as well. 
)

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> > As i mentioned it in the previous mail, i'd _really_ like to 
> > hear your thread model and attack vector description. Does this 
> > overhead justify the threat? Your change will only result in 
> > get_random_int() not being considered fast anymore.
> 
> My threat model is that someone more clever and with a lot more 
> expertise attacking systems than either you or me will be able to 
> leverage the extreme weakness of this hash (O(1) attacks against 
> the *full* version!) into an attack that incrementally exposes the 
> hidden RNG state. I've asked a couple such people whether they 
> think that's likely, and they've said yes.

My question was whether the variant laced with the cycle counter 
could be exposable.

I'd say that's almost impossible physically, in all but the most 
trivial cases. Yes, you can do it with a static PRNG and a static 
pool, but neither pool is static in reality (irqs are coming in all 
the time) nor is the cycle counter static. The cycle counter will 
mix in things like cache miss delays.

You need a really, really fast probe and a really quiet system to 
pull off a statistical attack like that. In all other realistic 
cases you have to play catch-up with the current state of the pool, 
trying to guess it. And even if you have a reasonably good idea 
about it, there's no _guarantee_ that your guess about the pool's 
state is when a critical context you'd like to attack seeds its ASLR 
or whatever other secret state.

> In fact, it's been known for over a decade that reduced-round MD4 
> such as ours is *not one way* and that preimages (aka our hidden 
> state) can be found in less than an hour on a *mid-90s era PC*:
> 
> http://citeseer.ist.psu.edu/old/182935.html

But that is completely inapposite to the PRNG i posted. Getting to 
preimage in a static MD4 hash where you have a reasonable number of 
probes right after the unknown result is possible.

Eliminating cycle counter noise out of a _static_ secret permutated 
via a PRNG is probably also possible, if the probe can be done 
faster than the natural noise level of the cycle counter is.

_Combining_ the two and attacking _that_ (combined with the addition 
of jiffies and a kernel stack address) - seems close to impossible 
to me. You'd have to guess the precise cycle counter value at the 
point of the hashing, and your samples wont help with that. They 
might give an estimation, but that's really what ASLR is about: the 
moment an attack isnt 100% sure, other measures (such as crash 
monitoring) can save the day.

The really serious attackers avoid uncertainty like the plague. 

It's the same reason why three letter agencies rather drop slam-dunk 
court cases than expose their sources and methods. A failed attack 
against a system exposes the attack and since the attack failed, 
there's no way to erase traces of the attack.

Furthermore, ASLR is mostly about changing the dynamics of worm 
attacks via the network. If an attack has only a 10% chance to 
succeed, that might break the propagation dynamics of a worm. So 
just a handful of bits are enough there.

> Combine that with greatly improved techniques for attacking hashes 
> in the MD4 family in the last five years and you're probably 
> looking at less than a second of CPU time. Combine that with the 
> fact that we're using the hash in a feedback mode, and things only 
> get easier.
> 
> On the question of 'what if we add in the TSC?', I'd first say (a) 
> we can't and shouldn't assume a TSC is available, though we 
> certainly should use it if it is. Second I'd say that there are 
> numerous timing attacks that have been done that suggest that 
> guessing the TSC can be done with useful probability. For 
> instance, see the branch prediction attacks against AES and RSA.

That is something completely different again, and i'm not sure 
whether you are trolling here or not...

Branch prediction attacks against AES and RSA are _completely 
different_ and the TSC connection is only there in name. They are 
about using timing as a _sample_ of the secret state and its effects 
on runtime.

Here the TSC is taken once, and mixed. _This_ TSC is not taken ever 
again, nor saved. There's no statistical method to recover it! You 
might know it up to a certain precision if you are lucky and can run 
right after the call, but a couple of bits of true randomness will 
be there for sure. In most cases more than a coupleof bits - an exec 
takes 200-300 usecs and you have to run on that same CPU - so to get 
a sample you have to go back almost 1 million TSC cycles ... That's 
20 bits of TSC space.

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Thu, May 07, 2009 at 08:41:36PM +0200, Ingo Molnar wrote:
> 
> * Matt Mackall <mpm@selenic.com> wrote:
> 
> > > As i mentioned it in the previous mail, i'd _really_ like to 
> > > hear your thread model and attack vector description. Does this 
> > > overhead justify the threat? Your change will only result in 
> > > get_random_int() not being considered fast anymore.
> > 
> > My threat model is that someone more clever and with a lot more 
> > expertise attacking systems than either you or me will be able to 
> > leverage the extreme weakness of this hash (O(1) attacks against 
> > the *full* version!) into an attack that incrementally exposes the 
> > hidden RNG state. I've asked a couple such people whether they 
> > think that's likely, and they've said yes.
> 
> My question was whether the variant laced with the cycle counter 
> could be exposable.

In my world, some machines don't have TSCs, so I think this is the
wrong question to be asking.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Florian Weimer]

* Matt Mackall:

> On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
>> 
>> Matt, are you willing to ack my suggested patch which adds history to the 
>> mix? Did somebody test that? I have this memory of there being an 
>> "exploit" program to show the non-randomness of the values, but I can't 
>> recall details, and would really want to get a second opinion from 
>> somebody who cares about PRNG's.
>
> I still don't like it. I bounced it off some folks on the adversarial
> side of things and they didn't think it looked strong enough either.
> Full MD5 collisions can be generated about as fast as they can be
> checked, which makes _reduced strength_ MD4 not much better than an
> LFSR in terms of attack potential.

Well, with periodic reseeding, even that shouldn't be a problem.  You
don't need collision resistance at all, so those MD5 attacks don't
tell you anything about the difficulty of state recovery/prediction
attacks on your variant.  (The trouble with hash functions is that
they haven't got any secrets to work from.  With seeded PRNGs, this is
obviously different.)

On the other hand, most people who need a quick, unpredictable source
of randomness seem to use RC4 with a random key initialized from a
more costly source.  (If you're paranoid, you should discard the first
few hundred bytes.)  The nice thing is that you can use a well-tested
primitive, unchanged, so it's easier to avoid nasty suprises.

Oh, and you should really, really ditch that Tausworthe generator (in
lib/random32.c).

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Thu, May 07, 2009 at 05:16:27PM +0200, Florian Weimer wrote:
> * Matt Mackall:
> 
> > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> >> 
> >> Matt, are you willing to ack my suggested patch which adds history to the 
> >> mix? Did somebody test that? I have this memory of there being an 
> >> "exploit" program to show the non-randomness of the values, but I can't 
> >> recall details, and would really want to get a second opinion from 
> >> somebody who cares about PRNG's.
> >
> > I still don't like it. I bounced it off some folks on the adversarial
> > side of things and they didn't think it looked strong enough either.
> > Full MD5 collisions can be generated about as fast as they can be
> > checked, which makes _reduced strength_ MD4 not much better than an
> > LFSR in terms of attack potential.
> 
> Well, with periodic reseeding, even that shouldn't be a problem.  You
> don't need collision resistance at all, so those MD5 attacks don't
> tell you anything about the difficulty of state recovery/prediction
> attacks on your variant.

It's *not* MD5. It's a reduced-round MD4. And MD4 is already many
orders of magnitude weaker than MD5. It's so weak in fact that
collisions can be generated in O(1)[1]. Hard to get much weaker than
that, except by, say, using something like our reduced-round variant.

It's not much of a stretch of the imagination to think that such an
amazingly weak hash might reveal our hidden state quite rapidly,
especially when used in a feedback mode.

[1] http://eprint.iacr.org/2005/151.pdf

We have a better hash function handy, and it's only takes twice as long.

> On the other hand, most people who need a quick, unpredictable source
> of randomness seem to use RC4 with a random key initialized from a
> more costly source.

Using a stream cipher is a fine idea. Ted and I have recently
discussed adding this as a layer to the stock RNG. We haven't used it
historically because of a) export restrictions and b) unsuitability of
the cryptoapi interface.

> Oh, and you should really, really ditch that Tausworthe generator (in
> lib/random32.c).

I'm not responsible for that particular bad idea.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Linus Torvalds]

On Thu, 7 May 2009, Matt Mackall wrote:
> 
> We have a better hash function handy, and it's only takes twice as long.

Matt, I really don't like your notion of "only twice as long".

I mean, really. In the kernel, we tend to never even talk about how many 
_times_ slower something is. We talk about cycles or small percentages.

The fact is, the current "get_random_int()" is a joke, and will return the 
same value over and over again for long stretches of time. I mean, really. 
Even people who don't care a lot would expect more than _that_ out of a 
PRNG.

And quite frankly, a lot of the users of get_random_int() probably use it 
not as some crypto function, but as a replacement for not having to write 
their own copy of some standard PRNG linear congruential generator.

I mean, really. The virtual address randomization was never meant to be 
"cryptographically secure" in that sense. Dammit, look at the code: it 
only takes something like 8 bits of the results _anyway_.

In other words, YOUR WHOLE ARGUMENT IS TOTALLY INSANE. You talk about 
"cryptographically secure hashes" for some 8-bit value. Listen to 
yourself. At that point, any cryptographer will just ridicule you. There's 
no point in trying to break the randomness, because you'll be much better 
off just trying a lot of different values.

So Matt, get with the program already. Don't ignore the performance 
argument by saying "it's only twice as slow". Admit it - that's just 
idiotic.

If somebody _really_ wants true randomness, teach them to use 
"get_random_bytes()" by all means. 

			Linus

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Thu, May 07, 2009 at 10:53:49AM -0700, Linus Torvalds wrote:
> So Matt, get with the program already. Don't ignore the performance 
> argument by saying "it's only twice as slow". Admit it - that's just 
> idiotic.

If you want to take it out of random.c and put it in pinhead-rng.c, be
my guest. I'm not going to put my Acked-by on it.

-- 
Mathematics is the supreme nostalgia of our time.

[patch] random: make get_random_int() more random

[Ingo Molnar]

[-- Attachment #1: Type: text/plain, Size: 6405 bytes --]


* Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Wed, 6 May 2009, Matt Mackall wrote:
> 
> > On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
>
> > > (Also, obviously "only" covering 95% of the Linux systems has 
> > > its use as well. Most other architectures have their own cycle 
> > > counters as well.)
> > 
> > X86 might be 95% of desktop. But it's a small fraction of Linux 
> > systems once you count cell phones, video players, TVs, cameras, 
> > GPS devices, cars, routers, etc. almost none of which are 
> > x86-based. In fact, just Linux cell phones (with about an 8% 
> > share of a 1.2billion devices per year market) dwarf Linux 
> > desktops (maybe 5% of a 200m/y market).
> 
> Matt, are you willing to ack my suggested patch which adds history 
> to the mix? Did somebody test that? I have this memory of there 
> being an "exploit" program to show the non-randomness of the 
> values, but I can't recall details, and would really want to get a 
> second opinion from somebody who cares about PRNG's.

I tested it, and besides booting up fine, i also tested the 
get_random_int() randomness. I did this by adding this quick 
trace_printk() line:

   trace_printk("get_random_int(): %08x\n", get_random_int());

to sys_prctl() and triggered sys_prctl() in a loop, which gave a 
list of get_random_int() numbers:

# tracer: nop
#
#           TASK-PID    CPU#    TIMESTAMP  FUNCTION
#              | |	 |          |         |
           <...>-6288  [000]   618.151323: sys_prctl: get_random_int(): 2e927f66
           <...>-6290  [000]   618.152924: sys_prctl: get_random_int(): d210df1f
           <...>-6293  [000]   618.155326: sys_prctl: get_random_int(): 753ad860
           <...>-6295  [000]   618.156939: sys_prctl: get_random_int(): c74d935f
           <...>-6298  [000]   618.159334: sys_prctl: get_random_int(): bb4e7597
           <...>-6300  [000]   618.160936: sys_prctl: get_random_int(): b0119885
           <...>-6303  [000]   618.163331: sys_prctl: get_random_int(): 093f5c70

Full list attached.

I then wrote a quick script to write those numbers out into a 
continous binary file (result also attached).

I then ran the FIPS randomness test over the first 20,000 bits [2.5K 
data], which it passed:

rngtest: bits received from input: 20064
rngtest: bits sent to output: 20000
rngtest: FIPS 140-2 successes: 1
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=3.104; avg=3.104; max=3.104)Gibits/s
rngtest: FIPS tests speed: (min=110.892; avg=110.892; max=110.892)Mibits/s
rngtest: output channel speed: (min=544.957; avg=544.957; max=544.957)Mibits/s
rngtest: Program run time: 294 microseconds

So it looks good enough - that's a sample of 800+ pseudo-random 
integers.

I also modified your patch to include two more random sources, 
get_cycles() [which all 22 architectures define - albeit not all 
have the hw to actually do fine-grained cycle counts - so for some 
it's always-zero or a low-res return value], plus a kernel stack 
address.

The relevant line is:

+	hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;

The argument is that the more layers we have here, the harder it 
becomes to _reliably_ attack a given system. Works-100%-sure is an 
important prize for certain types of attackers - and with the cycle 
counter, jiffies, PID and a kernel address all mixed in that becomes 
quite hard to achieve.

I tested this too - it also results in good random numbers. Find the 
patch below.

	Ingo


--------------->
Subject: random: make get_random_int() more random
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 5 May 2009 08:17:43 -0700 (PDT)

It's a really simple patch that basically just open-codes the current
"secure_ip_id()" call, but when open-coding it we now use a _static_
hashing area, so that it gets updated every time.

And to make sure somebody can't just start from the same original seed of
all-zeroes, and then do the "half_md4_transform()" over and over until
they get the same sequence as the kernel has, each iteration also mixes in
the same old "current->pid + jiffies" we used - so we should now have a
regular strong pseudo-number generator, but we also have one that doesn't
have a single seed.

Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It
has no real meaning. It could be anything. I just picked the previous
seed, it's just that now we keep the state in between calls and that will
feed into the next result, and that should make all the difference.

I made that hash be a per-cpu data just to avoid cache-line ping-pong:
having multiple CPU's write to the same data would be fine for randomness,
and add yet another layer of chaos to it, but since get_random_int() is
supposed to be a fast interface I did it that way instead. I considered
using "__raw_get_cpu_var()" to avoid any preemption overhead while still
getting the hash be _mostly_ ping-pong free, but in the end good taste won
out.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 drivers/char/random.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

Index: linux/drivers/char/random.c
===================================================================
--- linux.orig/drivers/char/random.c
+++ linux/drivers/char/random.c
@@ -1665,15 +1665,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe
  * value is not cryptographically secure but for several uses the cost of
  * depleting entropy is too high
  */
+DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
 unsigned int get_random_int(void)
 {
-	/*
-	 * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
-	 * every second, from the entropy pool (and thus creates a limited
-	 * drain on it), and uses halfMD4Transform within the second. We
-	 * also mix it with jiffies and the PID:
-	 */
-	return secure_ip_id((__force __be32)(current->pid + jiffies));
+	struct keydata *keyptr;
+	__u32 *hash = get_cpu_var(get_random_int_hash);
+	int ret;
+
+	keyptr = get_keyptr();
+	hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
+
+	ret = half_md4_transform(hash, keyptr->secret);
+	put_cpu_var(get_random_int_hash);
+
+	return ret;
 }
 
 /*

[-- Attachment #2: trace.txt --]
[-- Type: text/plain, Size: 69456 bytes --]

# tracer: nop
#
#           TASK-PID    CPU#    TIMESTAMP  FUNCTION
#              | |       |          |         |
           <...>-6288  [000]   618.151323: sys_prctl: get_random_int(): 2e927f66
           <...>-6290  [000]   618.152924: sys_prctl: get_random_int(): d210df1f
           <...>-6293  [000]   618.155326: sys_prctl: get_random_int(): 753ad860
           <...>-6295  [000]   618.156939: sys_prctl: get_random_int(): c74d935f
           <...>-6298  [000]   618.159334: sys_prctl: get_random_int(): bb4e7597
           <...>-6300  [000]   618.160936: sys_prctl: get_random_int(): b0119885
           <...>-6303  [000]   618.163331: sys_prctl: get_random_int(): 093f5c70
           <...>-6305  [000]   618.164932: sys_prctl: get_random_int(): 041237bf
           <...>-6308  [000]   618.167334: sys_prctl: get_random_int(): 8728717c
           <...>-6310  [000]   618.168933: sys_prctl: get_random_int(): b4f8ee5b
           <...>-6313  [000]   618.171332: sys_prctl: get_random_int(): c878732e
           <...>-6315  [000]   618.172896: sys_prctl: get_random_int(): 3c4f8609
           <...>-6318  [000]   618.175359: sys_prctl: get_random_int(): 95e66917
           <...>-6320  [000]   618.176919: sys_prctl: get_random_int(): 5c15d7f7
           <...>-6323  [000]   618.179312: sys_prctl: get_random_int(): a30704fa
           <...>-6325  [000]   618.180912: sys_prctl: get_random_int(): 833942d7
           <...>-6328  [000]   618.183313: sys_prctl: get_random_int(): a98634cc
           <...>-6330  [000]   618.184916: sys_prctl: get_random_int(): 66ac3dc9
           <...>-6333  [000]   618.187313: sys_prctl: get_random_int(): 5465b8d1
           <...>-6335  [000]   618.188913: sys_prctl: get_random_int(): d1904f92
           <...>-6338  [000]   618.191316: sys_prctl: get_random_int(): 8092c0b0
           <...>-6340  [000]   618.192916: sys_prctl: get_random_int(): faa7ea03
           <...>-6343  [000]   618.195317: sys_prctl: get_random_int(): 63f1d4b7
           <...>-6345  [000]   618.196922: sys_prctl: get_random_int(): 7a253bca
           <...>-6348  [000]   618.199322: sys_prctl: get_random_int(): 6cee3879
           <...>-6350  [000]   618.200923: sys_prctl: get_random_int(): 620ed75d
           <...>-6353  [000]   618.203325: sys_prctl: get_random_int(): 787c8fab
           <...>-6355  [000]   618.204927: sys_prctl: get_random_int(): 8038f759
           <...>-6358  [000]   618.207329: sys_prctl: get_random_int(): 219875ef
           <...>-6360  [000]   618.208891: sys_prctl: get_random_int(): e6dcad80
           <...>-6363  [000]   618.211339: sys_prctl: get_random_int(): dedfa120
           <...>-6365  [000]   618.212897: sys_prctl: get_random_int(): 899bb25f
           <...>-6368  [000]   618.215346: sys_prctl: get_random_int(): 5a2b5077
           <...>-6370  [000]   618.216908: sys_prctl: get_random_int(): 17f0fd44
           <...>-6373  [000]   618.219304: sys_prctl: get_random_int(): 7166a01b
           <...>-6375  [000]   618.220903: sys_prctl: get_random_int(): 2ea8f988
           <...>-6378  [000]   618.223302: sys_prctl: get_random_int(): f05b68a3
           <...>-6380  [000]   618.224904: sys_prctl: get_random_int(): e98e5fda
           <...>-6383  [000]   618.227306: sys_prctl: get_random_int(): d8e1b0b3
           <...>-6385  [000]   618.228907: sys_prctl: get_random_int(): 13fe3c99
           <...>-6388  [000]   618.231306: sys_prctl: get_random_int(): 8f0ffc91
           <...>-6390  [000]   618.232905: sys_prctl: get_random_int(): ea19eb37
           <...>-6393  [000]   618.235301: sys_prctl: get_random_int(): ccaea83d
           <...>-6395  [000]   618.236909: sys_prctl: get_random_int(): f69c6429
           <...>-6398  [000]   618.239311: sys_prctl: get_random_int(): 2135f269
           <...>-6400  [000]   618.240908: sys_prctl: get_random_int(): 60b8f110
           <...>-6403  [000]   618.243307: sys_prctl: get_random_int(): 17bb9c58
           <...>-6405  [000]   618.244905: sys_prctl: get_random_int(): 8b70e834
           <...>-6408  [000]   618.247302: sys_prctl: get_random_int(): 0396b347
           <...>-6410  [000]   618.248902: sys_prctl: get_random_int(): 86fd4976
           <...>-6413  [000]   618.251296: sys_prctl: get_random_int(): c23c28fd
           <...>-6415  [000]   618.252898: sys_prctl: get_random_int(): c32ffbd7
           <...>-6418  [000]   618.255296: sys_prctl: get_random_int(): 9684d604
           <...>-6420  [000]   618.256907: sys_prctl: get_random_int(): 0e4ccfd3
           <...>-6423  [000]   618.259307: sys_prctl: get_random_int(): ccd69363
           <...>-6425  [000]   618.260910: sys_prctl: get_random_int(): 07993743
           <...>-6428  [000]   618.263309: sys_prctl: get_random_int(): 9f06ba45
           <...>-6430  [000]   618.264873: sys_prctl: get_random_int(): 0dff796c
           <...>-6433  [000]   618.267322: sys_prctl: get_random_int(): 0de2019c
           <...>-6435  [000]   618.268877: sys_prctl: get_random_int(): b8e20895
##### CPU 1 buffer started ####
           <...>-6436  [001]   618.269711: sys_prctl: get_random_int(): 12c85f9d
           <...>-6437  [001]   618.270533: sys_prctl: get_random_int(): 42b96af6
           <...>-6438  [000]   618.271331: sys_prctl: get_random_int(): b60ed1b9
           <...>-6439  [001]   618.272099: sys_prctl: get_random_int(): 3aca8780
           <...>-6440  [000]   618.272884: sys_prctl: get_random_int(): 7b624df1
           <...>-6441  [001]   618.273714: sys_prctl: get_random_int(): 1d82f78b
           <...>-6442  [001]   618.274541: sys_prctl: get_random_int(): 99c1f14b
           <...>-6443  [000]   618.275332: sys_prctl: get_random_int(): 87e1ab89
           <...>-6444  [001]   618.276104: sys_prctl: get_random_int(): a13a6dd2
           <...>-6445  [000]   618.276895: sys_prctl: get_random_int(): a544ec7f
           <...>-6446  [001]   618.277716: sys_prctl: get_random_int(): fa9bbb74
           <...>-6447  [001]   618.278528: sys_prctl: get_random_int(): 30a47646
           <...>-6448  [000]   618.279288: sys_prctl: get_random_int(): 045208d2
           <...>-6449  [001]   618.280062: sys_prctl: get_random_int(): 0961aeb0
           <...>-6450  [000]   618.280894: sys_prctl: get_random_int(): 00d85257
           <...>-6451  [001]   618.281720: sys_prctl: get_random_int(): 7c702f29
           <...>-6452  [001]   618.282532: sys_prctl: get_random_int(): 688eaef9
           <...>-6453  [000]   618.283292: sys_prctl: get_random_int(): 493d53bb
           <...>-6454  [001]   618.284068: sys_prctl: get_random_int(): ba3251b8
           <...>-6455  [000]   618.284891: sys_prctl: get_random_int(): 34b9a5c7
           <...>-6456  [001]   618.285718: sys_prctl: get_random_int(): 188017a9
           <...>-6457  [001]   618.286527: sys_prctl: get_random_int(): 1c3a0cb0
           <...>-6458  [000]   618.287289: sys_prctl: get_random_int(): 66a10117
           <...>-6459  [001]   618.288065: sys_prctl: get_random_int(): 407df3e2
           <...>-6460  [000]   618.288894: sys_prctl: get_random_int(): dfddbea1
           <...>-6461  [001]   618.289717: sys_prctl: get_random_int(): 02a0398a
           <...>-6462  [001]   618.290530: sys_prctl: get_random_int(): ec8b8202
           <...>-6463  [000]   618.291288: sys_prctl: get_random_int(): 1b365cb7
           <...>-6464  [001]   618.292065: sys_prctl: get_random_int(): 7f0cceab
           <...>-6465  [000]   618.292893: sys_prctl: get_random_int(): 396d09da
           <...>-6466  [001]   618.293724: sys_prctl: get_random_int(): 1f004b43
           <...>-6467  [001]   618.294531: sys_prctl: get_random_int(): e56dd2f4
           <...>-6468  [000]   618.295293: sys_prctl: get_random_int(): 6465e491
           <...>-6469  [001]   618.296066: sys_prctl: get_random_int(): 9b972df1
           <...>-6470  [000]   618.296903: sys_prctl: get_random_int(): 8cc79c95
           <...>-6471  [001]   618.297726: sys_prctl: get_random_int(): fc60fce0
           <...>-6472  [001]   618.298539: sys_prctl: get_random_int(): 1c8479bf
           <...>-6473  [000]   618.299301: sys_prctl: get_random_int(): 9e943447
           <...>-6474  [001]   618.300077: sys_prctl: get_random_int(): c4839a07
           <...>-6475  [000]   618.300864: sys_prctl: get_random_int(): 25de1a81
           <...>-6476  [001]   618.301701: sys_prctl: get_random_int(): b533b223
           <...>-6477  [001]   618.302520: sys_prctl: get_random_int(): ecc3e97c
           <...>-6478  [000]   618.303315: sys_prctl: get_random_int(): 661be53c
           <...>-6479  [001]   618.304081: sys_prctl: get_random_int(): 81cdfc85
           <...>-6480  [000]   618.304870: sys_prctl: get_random_int(): 5438b5b1
           <...>-6481  [001]   618.305699: sys_prctl: get_random_int(): 826892ca
           <...>-6482  [001]   618.306526: sys_prctl: get_random_int(): eebb7b17
           <...>-6483  [000]   618.307318: sys_prctl: get_random_int(): 14078113
           <...>-6484  [001]   618.308088: sys_prctl: get_random_int(): abec8b64
           <...>-6485  [000]   618.308870: sys_prctl: get_random_int(): 6c8cb64a
           <...>-6486  [001]   618.309700: sys_prctl: get_random_int(): 1dcf996b
           <...>-6487  [001]   618.310523: sys_prctl: get_random_int(): f8dba2c0
           <...>-6488  [000]   618.311318: sys_prctl: get_random_int(): 2c1b9de7
           <...>-6489  [001]   618.312087: sys_prctl: get_random_int(): 529d827e
           <...>-6490  [000]   618.312874: sys_prctl: get_random_int(): ecd9b61d
           <...>-6491  [001]   618.313701: sys_prctl: get_random_int(): 668b9131
           <...>-6492  [001]   618.314521: sys_prctl: get_random_int(): e58c1182
           <...>-6493  [000]   618.315313: sys_prctl: get_random_int(): 00665371
           <...>-6495  [001]   618.316084: sys_prctl: get_random_int(): e1276ba5
           <...>-6496  [000]   618.316878: sys_prctl: get_random_int(): 948ce25a
           <...>-6497  [000]   618.317687: sys_prctl: get_random_int(): 631b0721
           <...>-6498  [001]   618.318479: sys_prctl: get_random_int(): bdff921d
           <...>-6499  [000]   618.319267: sys_prctl: get_random_int(): 0e461156
           <...>-6500  [001]   618.320035: sys_prctl: get_random_int(): 9fded75e
           <...>-6501  [000]   618.320865: sys_prctl: get_random_int(): 86c92499
           <...>-6502  [001]   618.321702: sys_prctl: get_random_int(): 27cd1b43
           <...>-6503  [001]   618.322520: sys_prctl: get_random_int(): e936bfeb
           <...>-6504  [000]   618.323318: sys_prctl: get_random_int(): d4f80d3c
           <...>-6505  [001]   618.324093: sys_prctl: get_random_int(): 9078a28d
           <...>-6506  [000]   618.324874: sys_prctl: get_random_int(): 25da7a03
           <...>-6507  [000]   618.325682: sys_prctl: get_random_int(): abfa7aa7
           <...>-6508  [001]   618.326475: sys_prctl: get_random_int(): 71b9ee23
           <...>-6509  [000]   618.327262: sys_prctl: get_random_int(): ccb7748d
           <...>-6510  [001]   618.328028: sys_prctl: get_random_int(): de59bd2d
           <...>-6511  [000]   618.328854: sys_prctl: get_random_int(): 4dfae3d0
           <...>-6512  [001]   618.329689: sys_prctl: get_random_int(): 1bcb042f
           <...>-6513  [001]   618.330512: sys_prctl: get_random_int(): 7daa6fdc
           <...>-6514  [000]   618.331306: sys_prctl: get_random_int(): 4a679714
           <...>-6515  [001]   618.332080: sys_prctl: get_random_int(): fe7eb37a
           <...>-6516  [000]   618.332865: sys_prctl: get_random_int(): 7267041c
           <...>-6517  [001]   618.333695: sys_prctl: get_random_int(): b2534334
           <...>-6518  [001]   618.334517: sys_prctl: get_random_int(): c6fc1f18
           <...>-6519  [000]   618.335316: sys_prctl: get_random_int(): 1b2c28c3
           <...>-6520  [001]   618.336084: sys_prctl: get_random_int(): 564f4cff
           <...>-6521  [000]   618.336879: sys_prctl: get_random_int(): e04bf4d1
           <...>-6522  [001]   618.337697: sys_prctl: get_random_int(): 48fc821b
           <...>-6523  [001]   618.338508: sys_prctl: get_random_int(): 36a9b920
           <...>-6524  [000]   618.339269: sys_prctl: get_random_int(): 713d7f6c
           <...>-6525  [001]   618.340043: sys_prctl: get_random_int(): 0ca1b588
           <...>-6526  [000]   618.340871: sys_prctl: get_random_int(): dc392ac5
           <...>-6527  [001]   618.341698: sys_prctl: get_random_int(): 96f4e601
           <...>-6528  [001]   618.342505: sys_prctl: get_random_int(): 7a88ba59
           <...>-6529  [000]   618.343268: sys_prctl: get_random_int(): a7bb7767
           <...>-6530  [001]   618.344042: sys_prctl: get_random_int(): 40b2246c
           <...>-6531  [000]   618.344871: sys_prctl: get_random_int(): 4cf2c778
           <...>-6532  [001]   618.345697: sys_prctl: get_random_int(): 27ce9238
           <...>-6533  [001]   618.346506: sys_prctl: get_random_int(): 82ab97f0
           <...>-6534  [000]   618.347265: sys_prctl: get_random_int(): 0a0af689
           <...>-6535  [001]   618.348042: sys_prctl: get_random_int(): 33ebb048
           <...>-6536  [000]   618.348868: sys_prctl: get_random_int(): 673ca6ef
           <...>-6537  [001]   618.349697: sys_prctl: get_random_int(): 43d8cfc5
           <...>-6538  [001]   618.350504: sys_prctl: get_random_int(): 660c45eb
           <...>-6539  [000]   618.351270: sys_prctl: get_random_int(): 7bdd2fc3
           <...>-6540  [001]   618.352043: sys_prctl: get_random_int(): 42f01405
           <...>-6541  [000]   618.352871: sys_prctl: get_random_int(): 87804684
           <...>-6542  [001]   618.353697: sys_prctl: get_random_int(): 4420e5c6
           <...>-6543  [001]   618.354509: sys_prctl: get_random_int(): ccd3fdba
           <...>-6544  [000]   618.355272: sys_prctl: get_random_int(): 878818a1
           <...>-6545  [001]   618.356045: sys_prctl: get_random_int(): daa3e3d0
           <...>-6546  [000]   618.356877: sys_prctl: get_random_int(): fbba68c2
           <...>-6547  [001]   618.357709: sys_prctl: get_random_int(): 81cbc31a
           <...>-6548  [001]   618.358518: sys_prctl: get_random_int(): e9a915e8
           <...>-6549  [000]   618.359285: sys_prctl: get_random_int(): efc5e143
           <...>-6550  [001]   618.360058: sys_prctl: get_random_int(): 1a08e4d7
           <...>-6551  [000]   618.360847: sys_prctl: get_random_int(): dc1e5771
           <...>-6552  [001]   618.361683: sys_prctl: get_random_int(): 22f974c9
           <...>-6553  [001]   618.362508: sys_prctl: get_random_int(): 6ca9ef3e
           <...>-6554  [000]   618.363302: sys_prctl: get_random_int(): 68eadff1
           <...>-6555  [001]   618.364075: sys_prctl: get_random_int(): 8b316b62
           <...>-6556  [000]   618.364858: sys_prctl: get_random_int(): 4dd386af
           <...>-6557  [001]   618.365690: sys_prctl: get_random_int(): 3ff6a8d7
           <...>-6558  [001]   618.366511: sys_prctl: get_random_int(): 152dd46e
           <...>-6559  [000]   618.367307: sys_prctl: get_random_int(): d28a6969
           <...>-6560  [001]   618.368075: sys_prctl: get_random_int(): 6966cb70
           <...>-6561  [000]   618.368863: sys_prctl: get_random_int(): 43421f85
           <...>-6562  [001]   618.369691: sys_prctl: get_random_int(): 3eb089a8
           <...>-6563  [001]   618.370514: sys_prctl: get_random_int(): 47079d75
           <...>-6564  [000]   618.371306: sys_prctl: get_random_int(): d5c2d282
           <...>-6565  [001]   618.372081: sys_prctl: get_random_int(): 4717efcb
           <...>-6566  [000]   618.372861: sys_prctl: get_random_int(): 25bc29de
           <...>-6567  [000]   618.373670: sys_prctl: get_random_int(): 978343b9
           <...>-6568  [001]   618.374462: sys_prctl: get_random_int(): 62b050be
           <...>-6569  [000]   618.375248: sys_prctl: get_random_int(): fc244f6d
           <...>-6570  [001]   618.376013: sys_prctl: get_random_int(): 1d03388f
           <...>-6571  [000]   618.376844: sys_prctl: get_random_int(): 990deb4b
           <...>-6572  [001]   618.377681: sys_prctl: get_random_int(): 8792427b
           <...>-6573  [001]   618.378507: sys_prctl: get_random_int(): 2344aad3
           <...>-6574  [000]   618.379300: sys_prctl: get_random_int(): 09d99c1c
           <...>-6575  [001]   618.380076: sys_prctl: get_random_int(): b867abae
           <...>-6576  [000]   618.380858: sys_prctl: get_random_int(): 441247c7
           <...>-6577  [000]   618.381668: sys_prctl: get_random_int(): 7022da76
           <...>-6578  [001]   618.382458: sys_prctl: get_random_int(): 6fe33d66
           <...>-6579  [000]   618.383244: sys_prctl: get_random_int(): f813204d
           <...>-6580  [001]   618.384015: sys_prctl: get_random_int(): 846cbe62
           <...>-6581  [000]   618.384842: sys_prctl: get_random_int(): 8839869d
           <...>-6582  [001]   618.385678: sys_prctl: get_random_int(): 1d70b5a5
           <...>-6583  [001]   618.386502: sys_prctl: get_random_int(): 99acdef4
           <...>-6584  [000]   618.387295: sys_prctl: get_random_int(): 60906ac6
           <...>-6585  [001]   618.388067: sys_prctl: get_random_int(): 229c161b
           <...>-6586  [000]   618.388848: sys_prctl: get_random_int(): 3258673e
           <...>-6587  [001]   618.389680: sys_prctl: get_random_int(): e08fadeb
           <...>-6588  [001]   618.390503: sys_prctl: get_random_int(): ac81deea
           <...>-6589  [000]   618.391297: sys_prctl: get_random_int(): 045b32e0
           <...>-6590  [001]   618.392062: sys_prctl: get_random_int(): 97ab145c
           <...>-6591  [000]   618.392849: sys_prctl: get_random_int(): feffb0da
           <...>-6592  [001]   618.393677: sys_prctl: get_random_int(): eb410916
           <...>-6593  [001]   618.394505: sys_prctl: get_random_int(): d84fd38a
           <...>-6594  [000]   618.395297: sys_prctl: get_random_int(): 87ac65df
           <...>-6595  [001]   618.396068: sys_prctl: get_random_int(): d05ab32c
           <...>-6596  [000]   618.396859: sys_prctl: get_random_int(): 591cc16a
           <...>-6597  [001]   618.397683: sys_prctl: get_random_int(): a693034a
           <...>-6598  [001]   618.398495: sys_prctl: get_random_int(): 6d777bce
           <...>-6599  [000]   618.399259: sys_prctl: get_random_int(): 5e0a52ed
           <...>-6600  [001]   618.400034: sys_prctl: get_random_int(): 9f031eed
           <...>-6601  [000]   618.400864: sys_prctl: get_random_int(): bae50780
           <...>-6602  [001]   618.401691: sys_prctl: get_random_int(): 399e3738
           <...>-6603  [001]   618.402505: sys_prctl: get_random_int(): 33d5f421
           <...>-6604  [000]   618.403271: sys_prctl: get_random_int(): 1ea06197
           <...>-6605  [001]   618.404049: sys_prctl: get_random_int(): da59ceee
           <...>-6606  [000]   618.404835: sys_prctl: get_random_int(): 17da30f3
           <...>-6607  [001]   618.405674: sys_prctl: get_random_int(): 900ce3c0
           <...>-6608  [001]   618.406494: sys_prctl: get_random_int(): 4fe22655
           <...>-6609  [000]   618.407291: sys_prctl: get_random_int(): ce917e9c
           <...>-6610  [001]   618.408059: sys_prctl: get_random_int(): 68dd1e3f
           <...>-6611  [000]   618.408847: sys_prctl: get_random_int(): 9825a14e
           <...>-6612  [001]   618.409680: sys_prctl: get_random_int(): 2b008372
           <...>-6613  [001]   618.410499: sys_prctl: get_random_int(): 0d46472b
           <...>-6614  [000]   618.411290: sys_prctl: get_random_int(): 9f589c21
           <...>-6615  [001]   618.412061: sys_prctl: get_random_int(): bd6db092
           <...>-6616  [000]   618.412846: sys_prctl: get_random_int(): 13904117
           <...>-6617  [001]   618.413676: sys_prctl: get_random_int(): 152f6a51
           <...>-6618  [001]   618.414504: sys_prctl: get_random_int(): 62beb5a2
           <...>-6619  [000]   618.415300: sys_prctl: get_random_int(): 8e0b0dbc
           <...>-6620  [001]   618.416068: sys_prctl: get_random_int(): f90e4568
           <...>-6621  [000]   618.416864: sys_prctl: get_random_int(): 3abb9894
           <...>-6622  [001]   618.417685: sys_prctl: get_random_int(): 93e79a16
           <...>-6623  [001]   618.418498: sys_prctl: get_random_int(): 382ee7bc
           <...>-6624  [000]   618.419259: sys_prctl: get_random_int(): 1a9e45ba
           <...>-6625  [001]   618.420033: sys_prctl: get_random_int(): 7c3019f8
           <...>-6626  [000]   618.420857: sys_prctl: get_random_int(): 24e5521d
           <...>-6627  [001]   618.421687: sys_prctl: get_random_int(): 0455d756
           <...>-6628  [001]   618.422496: sys_prctl: get_random_int(): d26e2b36
           <...>-6629  [000]   618.423258: sys_prctl: get_random_int(): 076d46b4
           <...>-6630  [001]   618.424030: sys_prctl: get_random_int(): bbf641d9
           <...>-6631  [000]   618.424858: sys_prctl: get_random_int(): cf438890
           <...>-6632  [001]   618.425681: sys_prctl: get_random_int(): a9420abf
           <...>-6633  [001]   618.426490: sys_prctl: get_random_int(): c4f97cc3
           <...>-6634  [000]   618.427252: sys_prctl: get_random_int(): a15afcff
           <...>-6635  [001]   618.428029: sys_prctl: get_random_int(): 6c0fe9df
           <...>-6636  [000]   618.428854: sys_prctl: get_random_int(): 57dd1080
           <...>-6637  [001]   618.429684: sys_prctl: get_random_int(): af1a3406
           <...>-6638  [001]   618.430491: sys_prctl: get_random_int(): a1267ab6
           <...>-6639  [000]   618.431254: sys_prctl: get_random_int(): ee2bac2f
           <...>-6640  [001]   618.432025: sys_prctl: get_random_int(): 83016889
           <...>-6641  [000]   618.432855: sys_prctl: get_random_int(): 2a328efe
           <...>-6642  [001]   618.433680: sys_prctl: get_random_int(): f6d78972
           <...>-6643  [001]   618.434489: sys_prctl: get_random_int(): 8040699c
           <...>-6644  [000]   618.435998: sys_prctl: get_random_int(): 29dc137a
           <...>-6647  [001]   618.437765: sys_prctl: get_random_int(): 64460b77
# tracer: nop
#
#           TASK-PID    CPU#    TIMESTAMP  FUNCTION
#              | |       |          |         |
           <...>-18309 [000]   627.751792: sys_prctl: get_random_int(): 52310f6f
           <...>-18311 [000]   627.753395: sys_prctl: get_random_int(): 5c5960a1
           <...>-18314 [000]   627.755783: sys_prctl: get_random_int(): d03a9c4f
           <...>-18316 [000]   627.757381: sys_prctl: get_random_int(): 75cb90fb
           <...>-18319 [000]   627.759842: sys_prctl: get_random_int(): 9e3f7384
           <...>-18321 [000]   627.761397: sys_prctl: get_random_int(): 521f9b7f
           <...>-18324 [000]   627.763838: sys_prctl: get_random_int(): 145024e2
           <...>-18326 [000]   627.765396: sys_prctl: get_random_int(): 59f8fc60
           <...>-18327 [000]   627.766205: sys_prctl: get_random_int(): 03a496b0
           <...>-18329 [000]   627.767786: sys_prctl: get_random_int(): dd355d04
           <...>-18331 [000]   627.769386: sys_prctl: get_random_int(): f49c8191
           <...>-18334 [000]   627.771833: sys_prctl: get_random_int(): 83342d58
           <...>-18336 [000]   627.773389: sys_prctl: get_random_int(): b32f9abd
           <...>-18339 [000]   627.775782: sys_prctl: get_random_int(): bdb28608
           <...>-18341 [000]   627.777379: sys_prctl: get_random_int(): 97b35104
           <...>-18344 [000]   627.779830: sys_prctl: get_random_int(): 03e5c046
           <...>-18346 [000]   627.781387: sys_prctl: get_random_int(): 76069298
           <...>-18349 [000]   627.783833: sys_prctl: get_random_int(): 871a9fc2
           <...>-18351 [000]   627.785389: sys_prctl: get_random_int(): f6a7f29d
           <...>-18354 [000]   627.787835: sys_prctl: get_random_int(): 1d5ba7d4
           <...>-18356 [000]   627.789395: sys_prctl: get_random_int(): 955b60b5
           <...>-18359 [000]   627.791795: sys_prctl: get_random_int(): 7a8163a3
           <...>-18361 [000]   627.793401: sys_prctl: get_random_int(): b3e565d0
           <...>-18364 [000]   627.795808: sys_prctl: get_random_int(): 7c27c9f4
           <...>-18366 [000]   627.797410: sys_prctl: get_random_int(): b9ae9f67
           <...>-18369 [000]   627.799816: sys_prctl: get_random_int(): 84104ba4
           <...>-18371 [000]   627.801380: sys_prctl: get_random_int(): c475d325
           <...>-18374 [000]   627.803850: sys_prctl: get_random_int(): 69740e42
           <...>-18376 [000]   627.805407: sys_prctl: get_random_int(): e0d95210
           <...>-18379 [000]   627.807801: sys_prctl: get_random_int(): f4c7cb57
           <...>-18381 [000]   627.809401: sys_prctl: get_random_int(): 8bddd856
           <...>-18384 [000]   627.811793: sys_prctl: get_random_int(): db2eb8b4
           <...>-18386 [000]   627.813396: sys_prctl: get_random_int(): 3b8d152f
##### CPU 1 buffer started ####
           <...>-18387 [001]   627.814231: sys_prctl: get_random_int(): e97aca26
           <...>-18388 [001]   627.815040: sys_prctl: get_random_int(): a8cdf2b8
           <...>-18389 [000]   627.815804: sys_prctl: get_random_int(): 85e89c6f
           <...>-18390 [001]   627.816578: sys_prctl: get_random_int(): 114b1f3d
           <...>-18391 [000]   627.817368: sys_prctl: get_random_int(): 638c4a68
           <...>-18392 [001]   627.818204: sys_prctl: get_random_int(): f6ba825a
           <...>-18393 [001]   627.819026: sys_prctl: get_random_int(): e5174c9d
           <...>-18394 [000]   627.819822: sys_prctl: get_random_int(): a257b6ad
           <...>-18395 [001]   627.820595: sys_prctl: get_random_int(): 70aad3e0
           <...>-18396 [000]   627.821380: sys_prctl: get_random_int(): c94d47c9
           <...>-18397 [000]   627.822190: sys_prctl: get_random_int(): a0c620eb
           <...>-18398 [001]   627.822980: sys_prctl: get_random_int(): 6fdd32fb
           <...>-18399 [000]   627.823768: sys_prctl: get_random_int(): 42f82e7b
           <...>-18400 [001]   627.824537: sys_prctl: get_random_int(): 1c3e424c
           <...>-18401 [000]   627.825364: sys_prctl: get_random_int(): 61cf775e
           <...>-18402 [001]   627.826201: sys_prctl: get_random_int(): bd183fd1
           <...>-18403 [001]   627.827024: sys_prctl: get_random_int(): f5f71d3a
           <...>-18404 [000]   627.827816: sys_prctl: get_random_int(): f46a14cf
           <...>-18405 [001]   627.828587: sys_prctl: get_random_int(): 0b36e2ff
           <...>-18406 [000]   627.829373: sys_prctl: get_random_int(): 28d59de4
           <...>-18407 [001]   627.830201: sys_prctl: get_random_int(): d28737e7
           <...>-18408 [001]   627.831025: sys_prctl: get_random_int(): 0653b0d2
           <...>-18409 [000]   627.831825: sys_prctl: get_random_int(): 54c11a51
           <...>-18410 [001]   627.832595: sys_prctl: get_random_int(): 872a8834
           <...>-18411 [000]   627.833381: sys_prctl: get_random_int(): c21a6299
           <...>-18412 [000]   627.834200: sys_prctl: get_random_int(): 29e928e4
           <...>-18413 [001]   627.834964: sys_prctl: get_random_int(): cc0abad5
           <...>-18414 [000]   627.835755: sys_prctl: get_random_int(): c048aed4
           <...>-18415 [001]   627.836528: sys_prctl: get_random_int(): 858e93ec
           <...>-18416 [000]   627.837350: sys_prctl: get_random_int(): a73c6d44
           <...>-18417 [001]   627.838187: sys_prctl: get_random_int(): 35d5aa36
           <...>-18418 [001]   627.839007: sys_prctl: get_random_int(): 0f0f0463
           <...>-18419 [000]   627.839805: sys_prctl: get_random_int(): affd4d3b
           <...>-18420 [001]   627.840576: sys_prctl: get_random_int(): 16e51420
           <...>-18421 [000]   627.841364: sys_prctl: get_random_int(): 5a3343ab
           <...>-18422 [001]   627.842198: sys_prctl: get_random_int(): 9e664ba2
           <...>-18423 [001]   627.843019: sys_prctl: get_random_int(): 5ee2700c
           <...>-18424 [000]   627.843814: sys_prctl: get_random_int(): fa2f580e
           <...>-18425 [001]   627.844586: sys_prctl: get_random_int(): 326f61cc
           <...>-18426 [000]   627.845371: sys_prctl: get_random_int(): cea84dbd
           <...>-18427 [001]   627.846199: sys_prctl: get_random_int(): 1ca5c991
           <...>-18428 [001]   627.847021: sys_prctl: get_random_int(): 69f6619a
           <...>-18429 [000]   627.847814: sys_prctl: get_random_int(): 57bd10d0
           <...>-18430 [001]   627.848583: sys_prctl: get_random_int(): 3bb05c34
           <...>-18431 [000]   627.849370: sys_prctl: get_random_int(): 7760fc5d
           <...>-18432 [001]   627.850203: sys_prctl: get_random_int(): 65a6bb3e
           <...>-18433 [001]   627.851025: sys_prctl: get_random_int(): 73385e77
           <...>-18434 [000]   627.851820: sys_prctl: get_random_int(): 8c85bb21
           <...>-18435 [001]   627.852593: sys_prctl: get_random_int(): 422f2fcc
           <...>-18436 [000]   627.853377: sys_prctl: get_random_int(): a8e8d794
           <...>-18437 [000]   627.854198: sys_prctl: get_random_int(): 24c1da57
           <...>-18438 [001]   627.854984: sys_prctl: get_random_int(): 6a924143
           <...>-18439 [000]   627.855772: sys_prctl: get_random_int(): 7d0fa9a5
           <...>-18440 [001]   627.856543: sys_prctl: get_random_int(): 50ca3344
           <...>-18441 [000]   627.857367: sys_prctl: get_random_int(): abeaee51
           <...>-18442 [001]   627.858199: sys_prctl: get_random_int(): b5236f5a
           <...>-18443 [001]   627.859021: sys_prctl: get_random_int(): 1a87a04d
           <...>-18444 [000]   627.859814: sys_prctl: get_random_int(): 7f5c71de
           <...>-18445 [001]   627.860585: sys_prctl: get_random_int(): 5bf10a7f
           <...>-18446 [000]   627.861372: sys_prctl: get_random_int(): 1ecd5288
           <...>-18447 [000]   627.862183: sys_prctl: get_random_int(): a9266a23
           <...>-18448 [001]   627.862968: sys_prctl: get_random_int(): 304c0101
           <...>-18449 [000]   627.863754: sys_prctl: get_random_int(): 7cc1b135
           <...>-18450 [001]   627.864522: sys_prctl: get_random_int(): 4f838d1f
           <...>-18451 [000]   627.865344: sys_prctl: get_random_int(): c91b8920
           <...>-18452 [001]   627.866178: sys_prctl: get_random_int(): f0cb88e2
           <...>-18453 [001]   627.867006: sys_prctl: get_random_int(): 9a747948
           <...>-18454 [000]   627.867797: sys_prctl: get_random_int(): c142e039
           <...>-18455 [001]   627.868567: sys_prctl: get_random_int(): 4238d17e
           <...>-18456 [000]   627.869350: sys_prctl: get_random_int(): bff4fde7
           <...>-18457 [001]   627.870187: sys_prctl: get_random_int(): 83343bff
           <...>-18458 [001]   627.871009: sys_prctl: get_random_int(): c098220b
           <...>-18459 [000]   627.871807: sys_prctl: get_random_int(): bb320215
           <...>-18460 [001]   627.872576: sys_prctl: get_random_int(): c74cf7d7
           <...>-18461 [000]   627.873365: sys_prctl: get_random_int(): 090be4c0
           <...>-18462 [001]   627.874201: sys_prctl: get_random_int(): 9e5898d7
           <...>-18463 [001]   627.874964: sys_prctl: get_random_int(): 86ec672c
           <...>-18464 [000]   627.875755: sys_prctl: get_random_int(): edc62d03
           <...>-18465 [001]   627.876527: sys_prctl: get_random_int(): 1a3dd822
           <...>-18466 [000]   627.877352: sys_prctl: get_random_int(): f67f6a20
           <...>-18467 [001]   627.878192: sys_prctl: get_random_int(): b1a95cf3
           <...>-18468 [001]   627.879008: sys_prctl: get_random_int(): 364517e1
           <...>-18469 [000]   627.879805: sys_prctl: get_random_int(): c64e3193
           <...>-18470 [001]   627.880573: sys_prctl: get_random_int(): bfa7483f
           <...>-18471 [000]   627.881358: sys_prctl: get_random_int(): 2032e9f8
           <...>-18472 [001]   627.882187: sys_prctl: get_random_int(): 2a669bac
           <...>-18473 [001]   627.883012: sys_prctl: get_random_int(): 306b1e26
           <...>-18474 [000]   627.883803: sys_prctl: get_random_int(): 2a4eeccc
           <...>-18475 [001]   627.884572: sys_prctl: get_random_int(): 50dcd09e
           <...>-18476 [000]   627.885357: sys_prctl: get_random_int(): 714e88a0
           <...>-18477 [001]   627.886190: sys_prctl: get_random_int(): 52f8906e
           <...>-18478 [001]   627.887013: sys_prctl: get_random_int(): ec01de8c
           <...>-18479 [000]   627.887812: sys_prctl: get_random_int(): c60c4df2
           <...>-18480 [001]   627.888583: sys_prctl: get_random_int(): 759ffb8c
           <...>-18481 [000]   627.889367: sys_prctl: get_random_int(): f65a79e1
           <...>-18482 [001]   627.890191: sys_prctl: get_random_int(): d4733c69
           <...>-18483 [001]   627.890951: sys_prctl: get_random_int(): 1e85a905
           <...>-18484 [000]   627.891741: sys_prctl: get_random_int(): d486b9bf
           <...>-18485 [001]   627.892511: sys_prctl: get_random_int(): b04c0596
           <...>-18486 [000]   627.893335: sys_prctl: get_random_int(): ae431490
           <...>-18487 [001]   627.894187: sys_prctl: get_random_int(): 954b83e4
           <...>-18488 [001]   627.895007: sys_prctl: get_random_int(): 84cdd8f9
           <...>-18489 [000]   627.895803: sys_prctl: get_random_int(): f655c354
           <...>-18490 [001]   627.896576: sys_prctl: get_random_int(): 60f2f7fe
           <...>-18491 [000]   627.897363: sys_prctl: get_random_int(): f15e864f
           <...>-18492 [001]   627.898189: sys_prctl: get_random_int(): 4de26b7a
           <...>-18493 [001]   627.899019: sys_prctl: get_random_int(): 3632d98d
           <...>-18494 [000]   627.899811: sys_prctl: get_random_int(): 6398f233
           <...>-18495 [001]   627.900588: sys_prctl: get_random_int(): 4f19b083
           <...>-18496 [000]   627.901371: sys_prctl: get_random_int(): e696aed7
           <...>-18497 [001]   627.902196: sys_prctl: get_random_int(): 2d6f06fa
           <...>-18498 [001]   627.903006: sys_prctl: get_random_int(): bbd4a5a7
           <...>-18499 [000]   627.903771: sys_prctl: get_random_int(): af4e7caa
           <...>-18500 [001]   627.904541: sys_prctl: get_random_int(): 1e1efc83
           <...>-18501 [000]   627.905372: sys_prctl: get_random_int(): 28dd50e1
           <...>-18502 [001]   627.906197: sys_prctl: get_random_int(): 0faa0489
           <...>-18503 [001]   627.907006: sys_prctl: get_random_int(): 45932529
           <...>-18504 [000]   627.907766: sys_prctl: get_random_int(): 3101de22
           <...>-18505 [001]   627.908542: sys_prctl: get_random_int(): a6616538
           <...>-18506 [000]   627.909365: sys_prctl: get_random_int(): 745b41c5
           <...>-18507 [001]   627.910194: sys_prctl: get_random_int(): 961f937a
           <...>-18508 [001]   627.911001: sys_prctl: get_random_int(): 27bf8b8b
           <...>-18509 [000]   627.911764: sys_prctl: get_random_int(): 6b976e6a
           <...>-18510 [001]   627.912538: sys_prctl: get_random_int(): 04501e6f
           <...>-18511 [000]   627.913369: sys_prctl: get_random_int(): fb3e4bed
           <...>-18512 [001]   627.914204: sys_prctl: get_random_int(): d5ea788d
           <...>-18513 [001]   627.915016: sys_prctl: get_random_int(): ba990947
           <...>-18514 [000]   627.915778: sys_prctl: get_random_int(): 3de8e678
           <...>-18515 [001]   627.916552: sys_prctl: get_random_int(): 191b2192
           <...>-18516 [000]   627.917377: sys_prctl: get_random_int(): dabbcec6
           <...>-18517 [001]   627.918205: sys_prctl: get_random_int(): 02c784aa
           <...>-18518 [001]   627.919012: sys_prctl: get_random_int(): d70791f2
           <...>-18519 [000]   627.919778: sys_prctl: get_random_int(): 43421c09
           <...>-18520 [001]   627.920549: sys_prctl: get_random_int(): e054e4cd
           <...>-18521 [000]   627.921342: sys_prctl: get_random_int(): 581cd65e
           <...>-18522 [001]   627.922180: sys_prctl: get_random_int(): c5306f50
           <...>-18523 [001]   627.922999: sys_prctl: get_random_int(): ccf46cf0
           <...>-18524 [000]   627.923789: sys_prctl: get_random_int(): f1a6e38d
           <...>-18525 [001]   627.924564: sys_prctl: get_random_int(): bcbaf1e5
           <...>-18526 [000]   627.925347: sys_prctl: get_random_int(): ffdcb654
           <...>-18527 [001]   627.926178: sys_prctl: get_random_int(): e3814837
           <...>-18528 [001]   627.927000: sys_prctl: get_random_int(): e2d86125
           <...>-18529 [000]   627.927796: sys_prctl: get_random_int(): 4b575890
           <...>-18530 [001]   627.928565: sys_prctl: get_random_int(): 4bbbaa1e
           <...>-18531 [000]   627.929353: sys_prctl: get_random_int(): dfb1056d
           <...>-18532 [001]   627.930179: sys_prctl: get_random_int(): d4dae55d
           <...>-18533 [001]   627.931002: sys_prctl: get_random_int(): c71c0bb1
           <...>-18534 [000]   627.931793: sys_prctl: get_random_int(): b85cc1bf
           <...>-18535 [001]   627.932567: sys_prctl: get_random_int(): 362cc1a2
           <...>-18536 [000]   627.933350: sys_prctl: get_random_int(): 71b243ce
           <...>-18537 [001]   627.934185: sys_prctl: get_random_int(): 5190e11b
           <...>-18538 [001]   627.934945: sys_prctl: get_random_int(): 5a64d246
           <...>-18539 [000]   627.935740: sys_prctl: get_random_int(): da00778b
           <...>-18540 [001]   627.936509: sys_prctl: get_random_int(): 587621e4
           <...>-18541 [000]   627.937334: sys_prctl: get_random_int(): f3a9e3c8
           <...>-18542 [001]   627.938171: sys_prctl: get_random_int(): df2032bc
           <...>-18543 [001]   627.938994: sys_prctl: get_random_int(): 4117c14e
           <...>-18544 [000]   627.939786: sys_prctl: get_random_int(): a6c328c6
           <...>-18545 [001]   627.940560: sys_prctl: get_random_int(): 6d65f77c
           <...>-18546 [000]   627.941344: sys_prctl: get_random_int(): 32ccd9cf
           <...>-18547 [001]   627.942175: sys_prctl: get_random_int(): 84c21c2e
           <...>-18548 [001]   627.943003: sys_prctl: get_random_int(): 43adc633
           <...>-18549 [000]   627.943797: sys_prctl: get_random_int(): daad681e
           <...>-18550 [001]   627.944566: sys_prctl: get_random_int(): 691fc2ea
           <...>-18551 [000]   627.945355: sys_prctl: get_random_int(): 48d18004
           <...>-18552 [001]   627.946176: sys_prctl: get_random_int(): fd9ffbd2
           <...>-18553 [001]   627.946932: sys_prctl: get_random_int(): 6bf8f482
           <...>-18554 [000]   627.947724: sys_prctl: get_random_int(): f2e85e39
           <...>-18555 [001]   627.948497: sys_prctl: get_random_int(): 4cc7edf2
           <...>-18556 [000]   627.949320: sys_prctl: get_random_int(): a6dcb927
           <...>-18557 [001]   627.950158: sys_prctl: get_random_int(): 9b2e0164
           <...>-18558 [001]   627.950983: sys_prctl: get_random_int(): 3a6a42bd
           <...>-18559 [000]   627.951776: sys_prctl: get_random_int(): 1c47d070
           <...>-18560 [001]   627.952545: sys_prctl: get_random_int(): 16075ee5
           <...>-18561 [000]   627.953333: sys_prctl: get_random_int(): 0382027b
           <...>-18562 [001]   627.954175: sys_prctl: get_random_int(): c5693b95
           <...>-18563 [001]   627.955001: sys_prctl: get_random_int(): 46b315c1
           <...>-18564 [000]   627.955798: sys_prctl: get_random_int(): 1726dfc0
           <...>-18565 [001]   627.956570: sys_prctl: get_random_int(): f2ce9d1e
           <...>-18566 [000]   627.957349: sys_prctl: get_random_int(): 280b1db2
           <...>-18567 [000]   627.958158: sys_prctl: get_random_int(): 34ee77a5
           <...>-18568 [001]   627.958950: sys_prctl: get_random_int(): 3fdea472
           <...>-18569 [000]   627.959739: sys_prctl: get_random_int(): 97367791
           <...>-18570 [001]   627.960508: sys_prctl: get_random_int(): 321129ba
           <...>-18571 [000]   627.961336: sys_prctl: get_random_int(): 2697257c
           <...>-18572 [001]   627.962172: sys_prctl: get_random_int(): 9041082c
           <...>-18573 [001]   627.962993: sys_prctl: get_random_int(): 745f54f6
           <...>-18574 [000]   627.963783: sys_prctl: get_random_int(): f8e8f387
           <...>-18575 [001]   627.964552: sys_prctl: get_random_int(): 56b494c7
           <...>-18577 [000]   627.965334: sys_prctl: get_random_int(): c07b5f17
           <...>-18578 [001]   627.966164: sys_prctl: get_random_int(): 0bfc02a8
           <...>-18579 [001]   627.966987: sys_prctl: get_random_int(): e82d9b2d
           <...>-18580 [000]   627.967780: sys_prctl: get_random_int(): 8296b72b
           <...>-18581 [001]   627.968550: sys_prctl: get_random_int(): 6fabdb15
           <...>-18582 [000]   627.969335: sys_prctl: get_random_int(): 35a70752
           <...>-18583 [001]   627.970163: sys_prctl: get_random_int(): 0ee8fcd3
           <...>-18584 [001]   627.970984: sys_prctl: get_random_int(): c2293934
           <...>-18585 [000]   627.971777: sys_prctl: get_random_int(): 445f7a05
           <...>-18586 [001]   627.972547: sys_prctl: get_random_int(): 2a663058
           <...>-18587 [000]   627.973332: sys_prctl: get_random_int(): 5477fcd5
           <...>-18588 [001]   627.974174: sys_prctl: get_random_int(): 8cc30a16
           <...>-18589 [001]   627.974994: sys_prctl: get_random_int(): b737f4af
           <...>-18590 [000]   627.975792: sys_prctl: get_random_int(): 538c5074
           <...>-18591 [001]   627.976561: sys_prctl: get_random_int(): 3266cbc6
           <...>-18592 [000]   627.977347: sys_prctl: get_random_int(): 7853c392
           <...>-18593 [000]   627.978156: sys_prctl: get_random_int(): 4d326cc5
           <...>-18594 [001]   627.978948: sys_prctl: get_random_int(): aa89393a
           <...>-18595 [000]   627.979733: sys_prctl: get_random_int(): 6c0246da
           <...>-18596 [001]   627.980503: sys_prctl: get_random_int(): 95b86f81
           <...>-18597 [000]   627.981329: sys_prctl: get_random_int(): 536fea63
           <...>-18598 [001]   627.982167: sys_prctl: get_random_int(): f376b88f
           <...>-18599 [001]   627.982988: sys_prctl: get_random_int(): 61300d20
           <...>-18600 [000]   627.983786: sys_prctl: get_random_int(): 4fb7675b
           <...>-18601 [001]   627.984555: sys_prctl: get_random_int(): 05b7519a
           <...>-18602 [000]   627.985342: sys_prctl: get_random_int(): 1dc996df
           <...>-18603 [001]   627.986164: sys_prctl: get_random_int(): b61126a1
           <...>-18604 [001]   627.986915: sys_prctl: get_random_int(): 2ac26f3c
           <...>-18605 [000]   627.987710: sys_prctl: get_random_int(): 19a541ab
           <...>-18606 [001]   627.988482: sys_prctl: get_random_int(): b59bf4af
           <...>-18607 [000]   627.989306: sys_prctl: get_random_int(): 154838a5
           <...>-18608 [001]   627.990146: sys_prctl: get_random_int(): c5f91d79
           <...>-18609 [001]   627.990969: sys_prctl: get_random_int(): 61775e7a
           <...>-18610 [000]   627.991764: sys_prctl: get_random_int(): a310e20c
           <...>-18611 [001]   627.992532: sys_prctl: get_random_int(): 7e3850d9
           <...>-18612 [000]   627.993318: sys_prctl: get_random_int(): 84caa2e8
           <...>-18613 [001]   627.994163: sys_prctl: get_random_int(): b24878e2
           <...>-18614 [001]   627.994991: sys_prctl: get_random_int(): f2653380
           <...>-18615 [000]   627.995786: sys_prctl: get_random_int(): d85cee27
           <...>-18616 [001]   627.996561: sys_prctl: get_random_int(): 9b8505e6
           <...>-18617 [000]   627.997344: sys_prctl: get_random_int(): 257c4522
           <...>-18618 [001]   627.998171: sys_prctl: get_random_int(): e4339624
           <...>-18619 [001]   627.998980: sys_prctl: get_random_int(): 7228a721
           <...>-18620 [000]   627.999745: sys_prctl: get_random_int(): e121b81c
           <...>-18621 [001]   628.000520: sys_prctl: get_random_int(): 8431d816
           <...>-18622 [000]   628.001351: sys_prctl: get_random_int(): 501faecf
           <...>-18623 [001]   628.002178: sys_prctl: get_random_int(): 46b05afc
           <...>-18624 [001]   628.002996: sys_prctl: get_random_int(): eda462d0
           <...>-18625 [000]   628.003755: sys_prctl: get_random_int(): b1697ab1
           <...>-18626 [001]   628.004536: sys_prctl: get_random_int(): 0ec26266
           <...>-18627 [000]   628.005320: sys_prctl: get_random_int(): 3cc19600
           <...>-18628 [001]   628.006160: sys_prctl: get_random_int(): 5a8e9b61
           <...>-18629 [001]   628.006977: sys_prctl: get_random_int(): d4d4a5ee
           <...>-18630 [000]   628.007773: sys_prctl: get_random_int(): 2af9a36f
           <...>-18631 [001]   628.008540: sys_prctl: get_random_int(): 23aaa78d
           <...>-18632 [000]   628.009327: sys_prctl: get_random_int(): 337e8c2a
           <...>-18633 [001]   628.010156: sys_prctl: get_random_int(): 2e04775c
           <...>-18634 [001]   628.010978: sys_prctl: get_random_int(): c16d86a0
           <...>-18635 [000]   628.011771: sys_prctl: get_random_int(): 7918801e
           <...>-18636 [001]   628.012544: sys_prctl: get_random_int(): 9f456e1f
           <...>-18637 [000]   628.013325: sys_prctl: get_random_int(): f3b7cba9
           <...>-18638 [001]   628.014164: sys_prctl: get_random_int(): 3cd20579
           <...>-18639 [001]   628.014923: sys_prctl: get_random_int(): c69f87ca
           <...>-18640 [000]   628.015720: sys_prctl: get_random_int(): 15aa25da
           <...>-18641 [001]   628.016490: sys_prctl: get_random_int(): e2bfeacc
           <...>-18642 [000]   628.017316: sys_prctl: get_random_int(): 93e79b19
           <...>-18643 [001]   628.018150: sys_prctl: get_random_int(): f2d7f276
           <...>-18644 [001]   628.018971: sys_prctl: get_random_int(): 72a4f012
           <...>-18645 [000]   628.019768: sys_prctl: get_random_int(): ac4a3c77
           <...>-18646 [001]   628.020542: sys_prctl: get_random_int(): a3bb226a
           <...>-18647 [000]   628.021325: sys_prctl: get_random_int(): 4a684dfb
           <...>-18648 [001]   628.022158: sys_prctl: get_random_int(): c24b4d0d
           <...>-18649 [001]   628.022978: sys_prctl: get_random_int(): e1e865db
           <...>-18650 [000]   628.023774: sys_prctl: get_random_int(): 52ce4c15
           <...>-18651 [001]   628.024544: sys_prctl: get_random_int(): 8958e813
           <...>-18652 [000]   628.025333: sys_prctl: get_random_int(): d684716f
           <...>-18653 [001]   628.026155: sys_prctl: get_random_int(): da0202bd
           <...>-18654 [001]   628.026909: sys_prctl: get_random_int(): c59d5ed6
           <...>-18655 [000]   628.027700: sys_prctl: get_random_int(): dd10bd34
           <...>-18656 [001]   628.028474: sys_prctl: get_random_int(): 7f7644a6
           <...>-18657 [001]   628.029311: sys_prctl: get_random_int(): 01a431f1
# tracer: nop
#
#           TASK-PID    CPU#    TIMESTAMP  FUNCTION
#              | |       |          |         |
           <...>-23256 [000]   734.874773: sys_prctl: get_random_int(): a64ca595
           <...>-23258 [000]   734.876326: sys_prctl: get_random_int(): e88f5453
           <...>-23261 [000]   734.878769: sys_prctl: get_random_int(): 22ff1a17
           <...>-23263 [000]   734.880324: sys_prctl: get_random_int(): 99fe148a
           <...>-23264 [000]   734.881141: sys_prctl: get_random_int(): 40f6778f
           <...>-23266 [000]   734.882723: sys_prctl: get_random_int(): d769bd9e
           <...>-23268 [000]   734.884325: sys_prctl: get_random_int(): 3dc6a713
           <...>-23271 [000]   734.886707: sys_prctl: get_random_int(): 85f3a9d3
           <...>-23273 [000]   734.888300: sys_prctl: get_random_int(): 8c5015b7
           <...>-23276 [000]   734.890759: sys_prctl: get_random_int(): 50a94bca
           <...>-23278 [000]   734.892313: sys_prctl: get_random_int(): e96a1eb1
##### CPU 1 buffer started ####
           <...>-23280 [001]   734.893969: sys_prctl: get_random_int(): 02c61ff6
           <...>-23281 [000]   734.894760: sys_prctl: get_random_int(): 78595394
           <...>-23282 [001]   734.895533: sys_prctl: get_random_int(): 4edbadf8
           <...>-23283 [000]   734.896315: sys_prctl: get_random_int(): 2a7bfe4a
           <...>-23284 [001]   734.897146: sys_prctl: get_random_int(): 37ceb873
           <...>-23285 [001]   734.897965: sys_prctl: get_random_int(): 3a4ec289
           <...>-23286 [000]   734.898763: sys_prctl: get_random_int(): cf5e9125
           <...>-23287 [001]   734.899529: sys_prctl: get_random_int(): 0456fdf7
           <...>-23288 [000]   734.900316: sys_prctl: get_random_int(): 0c059a10
           <...>-23289 [001]   734.901147: sys_prctl: get_random_int(): 7b469e29
           <...>-23290 [001]   734.901974: sys_prctl: get_random_int(): 5068434d
           <...>-23291 [000]   734.902766: sys_prctl: get_random_int(): e92fba13
           <...>-23292 [001]   734.903539: sys_prctl: get_random_int(): adf80330
           <...>-23293 [000]   734.904321: sys_prctl: get_random_int(): 627a6686
           <...>-23294 [000]   734.905133: sys_prctl: get_random_int(): 9a95dfc0
           <...>-23295 [001]   734.905934: sys_prctl: get_random_int(): e9b7ff83
           <...>-23296 [000]   734.906720: sys_prctl: get_random_int(): caf6f557
           <...>-23297 [001]   734.907488: sys_prctl: get_random_int(): 967bd995
           <...>-23298 [000]   734.908317: sys_prctl: get_random_int(): 09ff7740
           <...>-23299 [001]   734.909145: sys_prctl: get_random_int(): fd15e37b
           <...>-23300 [001]   734.909894: sys_prctl: get_random_int(): 241e1bb5
           <...>-23301 [000]   734.910685: sys_prctl: get_random_int(): 6a3fb579
           <...>-23302 [001]   734.911458: sys_prctl: get_random_int(): 62d7f835
           <...>-23303 [000]   734.912281: sys_prctl: get_random_int(): dc1388de
           <...>-23304 [001]   734.913120: sys_prctl: get_random_int(): da9bfff5
           <...>-23305 [001]   734.913938: sys_prctl: get_random_int(): beaef652
           <...>-23306 [000]   734.914731: sys_prctl: get_random_int(): 4ccf35fd
           <...>-23307 [001]   734.915501: sys_prctl: get_random_int(): 7f80a00f
           <...>-23308 [000]   734.916327: sys_prctl: get_random_int(): a73249ca
           <...>-23309 [001]   734.917150: sys_prctl: get_random_int(): b20a214d
           <...>-23310 [001]   734.917964: sys_prctl: get_random_int(): 067e9686
           <...>-23311 [000]   734.918724: sys_prctl: get_random_int(): f13d462f
           <...>-23312 [001]   734.919501: sys_prctl: get_random_int(): 765cb10e
           <...>-23313 [000]   734.920325: sys_prctl: get_random_int(): 01f9270a
           <...>-23314 [001]   734.921153: sys_prctl: get_random_int(): d047f8b8
           <...>-23315 [001]   734.921961: sys_prctl: get_random_int(): a03535ee
           <...>-23316 [000]   734.922722: sys_prctl: get_random_int(): 5fbadc9d
           <...>-23317 [001]   734.923494: sys_prctl: get_random_int(): 455cfc51
           <...>-23318 [000]   734.924324: sys_prctl: get_random_int(): 39db49a4
           <...>-23319 [001]   734.925152: sys_prctl: get_random_int(): f8a2ade6
           <...>-23320 [001]   734.925972: sys_prctl: get_random_int(): 42ef8040
           <...>-23321 [000]   734.926732: sys_prctl: get_random_int(): e0fc8cc3
           <...>-23322 [001]   734.927507: sys_prctl: get_random_int(): 272199d9
           <...>-23323 [000]   734.928335: sys_prctl: get_random_int(): e0ddda72
           <...>-23324 [001]   734.929167: sys_prctl: get_random_int(): ea380a40
           <...>-23325 [001]   734.929976: sys_prctl: get_random_int(): cd9d10b4
           <...>-23326 [000]   734.930738: sys_prctl: get_random_int(): de85cd17
           <...>-23327 [001]   734.931509: sys_prctl: get_random_int(): 90ac37b3
           <...>-23328 [000]   734.932300: sys_prctl: get_random_int(): 2303f763
           <...>-23329 [001]   734.933134: sys_prctl: get_random_int(): b67d8ffc
           <...>-23330 [001]   734.933963: sys_prctl: get_random_int(): f475a889
           <...>-23331 [000]   734.934755: sys_prctl: get_random_int(): 969d0d50
           <...>-23332 [001]   734.935527: sys_prctl: get_random_int(): d2a064c2
           <...>-23333 [000]   734.936307: sys_prctl: get_random_int(): 9336bec4
           <...>-23334 [001]   734.937137: sys_prctl: get_random_int(): 26e1c1f5
           <...>-23335 [001]   734.937960: sys_prctl: get_random_int(): 21a483c5
           <...>-23336 [000]   734.938755: sys_prctl: get_random_int(): 08a3e6e6
           <...>-23337 [001]   734.939522: sys_prctl: get_random_int(): ece48064
           <...>-23338 [000]   734.940311: sys_prctl: get_random_int(): 41ad055d
           <...>-23339 [001]   734.941137: sys_prctl: get_random_int(): 1344d886
           <...>-23340 [001]   734.941893: sys_prctl: get_random_int(): 0ad603db
           <...>-23341 [000]   734.942682: sys_prctl: get_random_int(): ce48c370
           <...>-23342 [001]   734.943455: sys_prctl: get_random_int(): d81e1039
           <...>-23343 [000]   734.944278: sys_prctl: get_random_int(): 7d819570
           <...>-23344 [001]   734.945116: sys_prctl: get_random_int(): d2b48464
           <...>-23345 [001]   734.945946: sys_prctl: get_random_int(): 85548a2f
           <...>-23346 [000]   734.946738: sys_prctl: get_random_int(): 5251e8db
           <...>-23347 [001]   734.947504: sys_prctl: get_random_int(): f5be1507
           <...>-23348 [000]   734.948291: sys_prctl: get_random_int(): be9a7219
           <...>-23349 [001]   734.949125: sys_prctl: get_random_int(): 79867990
           <...>-23350 [001]   734.949946: sys_prctl: get_random_int(): e9350b88
           <...>-23351 [000]   734.950739: sys_prctl: get_random_int(): f925fd54
           <...>-23352 [001]   734.951507: sys_prctl: get_random_int(): 00a61729
           <...>-23353 [000]   734.952293: sys_prctl: get_random_int(): 459ab040
           <...>-23354 [001]   734.953127: sys_prctl: get_random_int(): 91196a0f
           <...>-23355 [001]   734.953945: sys_prctl: get_random_int(): 7dd5289e
           <...>-23356 [000]   734.954741: sys_prctl: get_random_int(): 3d6f1ac8
           <...>-23357 [001]   734.955508: sys_prctl: get_random_int(): 20b03a0d
           <...>-23358 [000]   734.956295: sys_prctl: get_random_int(): b3e1a674
           <...>-23359 [001]   734.957123: sys_prctl: get_random_int(): ba47d73a
           <...>-23360 [001]   734.957951: sys_prctl: get_random_int(): 95507a47
           <...>-23361 [000]   734.958745: sys_prctl: get_random_int(): 756457f2
           <...>-23362 [001]   734.959517: sys_prctl: get_random_int(): 3753f20f
           <...>-23363 [000]   734.960300: sys_prctl: get_random_int(): cedda01d
           <...>-23364 [001]   734.961132: sys_prctl: get_random_int(): 0ae1c51f
           <...>-23365 [001]   734.961952: sys_prctl: get_random_int(): 2e7ddfa1
           <...>-23366 [000]   734.962747: sys_prctl: get_random_int(): 38288759
           <...>-23367 [001]   734.963516: sys_prctl: get_random_int(): c6eaf768
           <...>-23368 [000]   734.964303: sys_prctl: get_random_int(): 96fda3bd
           <...>-23369 [001]   734.965128: sys_prctl: get_random_int(): 3b7cefc7
           <...>-23370 [001]   734.965962: sys_prctl: get_random_int(): 1cd8b8f9
           <...>-23371 [000]   734.966752: sys_prctl: get_random_int(): 6ee92289
           <...>-23372 [001]   734.967522: sys_prctl: get_random_int(): ab0f8668
           <...>-23373 [000]   734.968303: sys_prctl: get_random_int(): 07c4ea86
           <...>-23374 [000]   734.969112: sys_prctl: get_random_int(): c9cab6ce
           <...>-23375 [001]   734.969906: sys_prctl: get_random_int(): a46cc75e
           <...>-23376 [000]   734.970694: sys_prctl: get_random_int(): 05a72274
           <...>-23377 [001]   734.971462: sys_prctl: get_random_int(): ba11a97c
           <...>-23378 [000]   734.972292: sys_prctl: get_random_int(): 230a8575
           <...>-23379 [001]   734.973126: sys_prctl: get_random_int(): 56405a19
           <...>-23380 [001]   734.973952: sys_prctl: get_random_int(): 6a7a746e
           <...>-23381 [000]   734.974747: sys_prctl: get_random_int(): 1216a03d
           <...>-23382 [001]   734.975518: sys_prctl: get_random_int(): a8b71c79
           <...>-23383 [000]   734.976300: sys_prctl: get_random_int(): f2b27bd0
           <...>-23384 [000]   734.977111: sys_prctl: get_random_int(): 58281a76
           <...>-23385 [001]   734.977902: sys_prctl: get_random_int(): 9fbb8459
           <...>-23386 [000]   734.978691: sys_prctl: get_random_int(): b5944da6
           <...>-23387 [001]   734.979460: sys_prctl: get_random_int(): c463a91d
           <...>-23388 [000]   734.980287: sys_prctl: get_random_int(): 19df0940
           <...>-23389 [001]   734.981121: sys_prctl: get_random_int(): e3b268ce
           <...>-23390 [001]   734.981938: sys_prctl: get_random_int(): 394a2be3
           <...>-23391 [000]   734.982730: sys_prctl: get_random_int(): 5a24e611
           <...>-23392 [001]   734.983506: sys_prctl: get_random_int(): f48b0c91
           <...>-23393 [000]   734.984291: sys_prctl: get_random_int(): bf3ff863
           <...>-23394 [001]   734.985123: sys_prctl: get_random_int(): 19ad52f8
           <...>-23395 [001]   734.985959: sys_prctl: get_random_int(): 57c2d7ae
           <...>-23396 [000]   734.986752: sys_prctl: get_random_int(): 2da8a420
           <...>-23397 [001]   734.987519: sys_prctl: get_random_int(): 6cd5173f
           <...>-23398 [000]   734.988304: sys_prctl: get_random_int(): dc1b5780
           <...>-23399 [001]   734.989123: sys_prctl: get_random_int(): 82ab2f5a
           <...>-23400 [001]   734.989935: sys_prctl: get_random_int(): 9ee47cf8
           <...>-23401 [000]   734.990699: sys_prctl: get_random_int(): a7fb8b54
           <...>-23402 [001]   734.991475: sys_prctl: get_random_int(): 5a8e48c3
           <...>-23403 [000]   734.992303: sys_prctl: get_random_int(): 8e8f76c1
           <...>-23404 [001]   734.993133: sys_prctl: get_random_int(): 04468eb0
           <...>-23405 [001]   734.993944: sys_prctl: get_random_int(): 22d5ec87
           <...>-23406 [000]   734.994705: sys_prctl: get_random_int(): a38348df
           <...>-23407 [001]   734.995476: sys_prctl: get_random_int(): a483d817
           <...>-23408 [000]   734.996304: sys_prctl: get_random_int(): db942580
           <...>-23409 [001]   734.997129: sys_prctl: get_random_int(): 72f6d65c
           <...>-23410 [001]   734.997940: sys_prctl: get_random_int(): 09aecf0f
           <...>-23411 [000]   734.998700: sys_prctl: get_random_int(): 3a7d8f9a
           <...>-23412 [001]   734.999476: sys_prctl: get_random_int(): 03d533de
           <...>-23413 [000]   735.000302: sys_prctl: get_random_int(): 8168696a
           <...>-23414 [001]   735.001130: sys_prctl: get_random_int(): bfc540fd
           <...>-23415 [001]   735.001937: sys_prctl: get_random_int(): 9f50863b
           <...>-23416 [000]   735.002701: sys_prctl: get_random_int(): e0c08242
           <...>-23417 [001]   735.003473: sys_prctl: get_random_int(): 01dc8ea5
           <...>-23418 [000]   735.004301: sys_prctl: get_random_int(): 64654c19
           <...>-23419 [001]   735.005126: sys_prctl: get_random_int(): ecddcffd
           <...>-23420 [001]   735.005943: sys_prctl: get_random_int(): fdeed1a1
           <...>-23421 [000]   735.006702: sys_prctl: get_random_int(): 5fddbb31
           <...>-23422 [001]   735.007476: sys_prctl: get_random_int(): 77efd6b6
           <...>-23423 [000]   735.008305: sys_prctl: get_random_int(): 08b5c928
           <...>-23424 [001]   735.009133: sys_prctl: get_random_int(): 71c6e260
           <...>-23425 [001]   735.009939: sys_prctl: get_random_int(): 79a1ce1c
           <...>-23426 [000]   735.010703: sys_prctl: get_random_int(): 454f5826
           <...>-23427 [001]   735.011477: sys_prctl: get_random_int(): d7824c98
           <...>-23428 [000]   735.012306: sys_prctl: get_random_int(): 58442212
           <...>-23429 [001]   735.013135: sys_prctl: get_random_int(): 787ebf1f
           <...>-23430 [001]   735.013947: sys_prctl: get_random_int(): 8f0f56aa
           <...>-23431 [000]   735.014709: sys_prctl: get_random_int(): 06947a9e
           <...>-23432 [001]   735.015485: sys_prctl: get_random_int(): 3cfb0efc
           <...>-23433 [000]   735.016310: sys_prctl: get_random_int(): 1c75ff4c
           <...>-23434 [001]   735.017139: sys_prctl: get_random_int(): eaae711c
           <...>-23435 [001]   735.017949: sys_prctl: get_random_int(): 3d0ff789
           <...>-23436 [000]   735.018711: sys_prctl: get_random_int(): 8accaae0
           <...>-23437 [001]   735.019483: sys_prctl: get_random_int(): 95bf4c82
           <...>-23438 [000]   735.020275: sys_prctl: get_random_int(): 4e42e1c9
           <...>-23439 [001]   735.021110: sys_prctl: get_random_int(): d604eef8
           <...>-23440 [001]   735.021934: sys_prctl: get_random_int(): 54484dcf
           <...>-23441 [000]   735.022729: sys_prctl: get_random_int(): 872fc3bc
           <...>-23442 [001]   735.023500: sys_prctl: get_random_int(): 98824c0a
           <...>-23443 [000]   735.024282: sys_prctl: get_random_int(): b7ed846a
           <...>-23444 [001]   735.025115: sys_prctl: get_random_int(): 16258dc9
           <...>-23445 [001]   735.025947: sys_prctl: get_random_int(): c94a4f29
           <...>-23446 [000]   735.026744: sys_prctl: get_random_int(): ee7392d8
           <...>-23447 [001]   735.027512: sys_prctl: get_random_int(): 5ec65878
           <...>-23448 [000]   735.028301: sys_prctl: get_random_int(): 493b4988
           <...>-23449 [001]   735.029121: sys_prctl: get_random_int(): f1266b57
           <...>-23450 [001]   735.029933: sys_prctl: get_random_int(): a59debaf
           <...>-23451 [000]   735.030693: sys_prctl: get_random_int(): 7c132ed5
           <...>-23452 [001]   735.031467: sys_prctl: get_random_int(): 11547e2d
           <...>-23453 [000]   735.032291: sys_prctl: get_random_int(): 4f858ff5
           <...>-23454 [001]   735.033120: sys_prctl: get_random_int(): c7110a7f
           <...>-23455 [001]   735.033927: sys_prctl: get_random_int(): 6e3b0e36
           <...>-23456 [000]   735.034691: sys_prctl: get_random_int(): 12f6bac0
           <...>-23457 [001]   735.035465: sys_prctl: get_random_int(): 4ed53f86
           <...>-23458 [000]   735.036293: sys_prctl: get_random_int(): ee29a241
           <...>-23459 [001]   735.037117: sys_prctl: get_random_int(): 953a79c5
           <...>-23460 [001]   735.037927: sys_prctl: get_random_int(): 9f729347
           <...>-23461 [000]   735.038686: sys_prctl: get_random_int(): f847a7b3
           <...>-23462 [001]   735.039460: sys_prctl: get_random_int(): f947ea8c
           <...>-23463 [000]   735.040282: sys_prctl: get_random_int(): 8336bf10
           <...>-23464 [000]   735.041096: sys_prctl: get_random_int(): 96799192
           <...>-23465 [001]   735.041882: sys_prctl: get_random_int(): 10c6d381
           <...>-23466 [000]   735.042670: sys_prctl: get_random_int(): b87b9ae5
           <...>-23467 [001]   735.043441: sys_prctl: get_random_int(): 80527aaa
           <...>-23468 [000]   735.044266: sys_prctl: get_random_int(): 2a7e63e9
           <...>-23469 [001]   735.045100: sys_prctl: get_random_int(): 72667100
           <...>-23470 [001]   735.045933: sys_prctl: get_random_int(): a887ca0c
           <...>-23471 [000]   735.046725: sys_prctl: get_random_int(): 50e5ac7d
           <...>-23472 [001]   735.047495: sys_prctl: get_random_int(): e5593464
           <...>-23473 [000]   735.048278: sys_prctl: get_random_int(): 5a4baff4
           <...>-23474 [001]   735.049106: sys_prctl: get_random_int(): 7806817c
           <...>-23475 [001]   735.049928: sys_prctl: get_random_int(): d14b3fd3
           <...>-23476 [000]   735.050721: sys_prctl: get_random_int(): ef44083e
           <...>-23477 [001]   735.051490: sys_prctl: get_random_int(): 13092404
           <...>-23478 [000]   735.052277: sys_prctl: get_random_int(): c90d50a5
           <...>-23479 [001]   735.053107: sys_prctl: get_random_int(): 95045a0e
           <...>-23480 [001]   735.053933: sys_prctl: get_random_int(): 972d7cdb
           <...>-23481 [000]   735.054726: sys_prctl: get_random_int(): 55caf453
           <...>-23482 [001]   735.055497: sys_prctl: get_random_int(): 4fda0c11
           <...>-23483 [000]   735.056283: sys_prctl: get_random_int(): f8e3ea70
           <...>-23484 [001]   735.057104: sys_prctl: get_random_int(): 16c2f90d
           <...>-23485 [001]   735.057914: sys_prctl: get_random_int(): 82e8de96
           <...>-23486 [000]   735.058678: sys_prctl: get_random_int(): e18cb667
           <...>-23487 [001]   735.059450: sys_prctl: get_random_int(): c421be39
           <...>-23488 [000]   735.060279: sys_prctl: get_random_int(): e76e99b6
           <...>-23489 [001]   735.061108: sys_prctl: get_random_int(): 5734c0d1
           <...>-23490 [001]   735.061866: sys_prctl: get_random_int(): 63130b88
           <...>-23491 [000]   735.062658: sys_prctl: get_random_int(): be4e7087
           <...>-23492 [001]   735.063433: sys_prctl: get_random_int(): d5a854ed
           <...>-23493 [000]   735.064256: sys_prctl: get_random_int(): c960ce66
           <...>-23494 [001]   735.065093: sys_prctl: get_random_int(): 02c31f24
           <...>-23495 [001]   735.065924: sys_prctl: get_random_int(): 6aca4b56
           <...>-23496 [000]   735.066719: sys_prctl: get_random_int(): bdb985ce
           <...>-23497 [001]   735.067490: sys_prctl: get_random_int(): d248e7fd
           <...>-23498 [000]   735.068277: sys_prctl: get_random_int(): 970f09e6
           <...>-23499 [001]   735.069101: sys_prctl: get_random_int(): 0888635b
           <...>-23500 [001]   735.069932: sys_prctl: get_random_int(): c15080b6
           <...>-23501 [000]   735.070724: sys_prctl: get_random_int(): 0b858d9e
           <...>-23502 [001]   735.071494: sys_prctl: get_random_int(): 342945ed
           <...>-23503 [000]   735.072274: sys_prctl: get_random_int(): 03adf881
           <...>-23504 [000]   735.073086: sys_prctl: get_random_int(): 65034d8d
           <...>-23505 [001]   735.073877: sys_prctl: get_random_int(): d9c16cb9
           <...>-23506 [000]   735.074664: sys_prctl: get_random_int(): 07e3c719
           <...>-23507 [001]   735.075431: sys_prctl: get_random_int(): 5cd3f586
           <...>-23508 [000]   735.076256: sys_prctl: get_random_int(): 6d2464e0
           <...>-23509 [001]   735.077090: sys_prctl: get_random_int(): f75751e9
           <...>-23510 [001]   735.077912: sys_prctl: get_random_int(): 35fb1e53
           <...>-23511 [000]   735.078712: sys_prctl: get_random_int(): dd582024
           <...>-23512 [001]   735.079486: sys_prctl: get_random_int(): 7ce66d42
           <...>-23513 [000]   735.080269: sys_prctl: get_random_int(): af53ec5d
           <...>-23514 [001]   735.081102: sys_prctl: get_random_int(): 42a0bb55
           <...>-23515 [001]   735.081920: sys_prctl: get_random_int(): f0ad05a9
           <...>-23516 [000]   735.082713: sys_prctl: get_random_int(): b6cd805b
           <...>-23517 [001]   735.083484: sys_prctl: get_random_int(): 6e4412d7
           <...>-23518 [000]   735.084271: sys_prctl: get_random_int(): b09f6954
           <...>-23519 [001]   735.085098: sys_prctl: get_random_int(): 225cd84b
           <...>-23520 [001]   735.085940: sys_prctl: get_random_int(): bb918e6f
           <...>-23521 [000]   735.086732: sys_prctl: get_random_int(): 8d6fea43
           <...>-23522 [001]   735.087505: sys_prctl: get_random_int(): f121f79f
           <...>-23523 [000]   735.088286: sys_prctl: get_random_int(): b9929ce5
           <...>-23524 [001]   735.089108: sys_prctl: get_random_int(): ac4c3c56
           <...>-23525 [001]   735.089919: sys_prctl: get_random_int(): 7649befe
           <...>-23526 [000]   735.090682: sys_prctl: get_random_int(): 0190d9a6
           <...>-23527 [001]   735.091455: sys_prctl: get_random_int(): b720e83c
           <...>-23528 [000]   735.092282: sys_prctl: get_random_int(): a437e32e
           <...>-23529 [001]   735.093105: sys_prctl: get_random_int(): 4793f742
           <...>-23530 [001]   735.093918: sys_prctl: get_random_int(): b205ede4
           <...>-23531 [000]   735.094681: sys_prctl: get_random_int(): 4507eb0d
           <...>-23532 [001]   735.095456: sys_prctl: get_random_int(): 8b7ca865
           <...>-23533 [000]   735.096278: sys_prctl: get_random_int(): 2eddd1e1
           <...>-23534 [001]   735.097106: sys_prctl: get_random_int(): 507754b5
           <...>-23535 [001]   735.097917: sys_prctl: get_random_int(): 57e24a43
           <...>-23536 [000]   735.098678: sys_prctl: get_random_int(): 4dd31c7f
           <...>-23537 [001]   735.099455: sys_prctl: get_random_int(): 25a0047f
           <...>-23538 [000]   735.100284: sys_prctl: get_random_int(): 87ce3636
           <...>-23539 [001]   735.101107: sys_prctl: get_random_int(): 172e6c5f
           <...>-23540 [001]   735.101918: sys_prctl: get_random_int(): a5f8c320
           <...>-23541 [000]   735.102680: sys_prctl: get_random_int(): 0e3d4632
           <...>-23542 [001]   735.103457: sys_prctl: get_random_int(): afa6b643
           <...>-23543 [000]   735.104281: sys_prctl: get_random_int(): 83043fcd
           <...>-23544 [001]   735.105107: sys_prctl: get_random_int(): 6a0f0232
           <...>-23545 [001]   735.105937: sys_prctl: get_random_int(): 19142bff
           <...>-23547 [001]   735.106777: sys_prctl: get_random_int(): 7a1e99a1
           <...>-23548 [001]   735.107587: sys_prctl: get_random_int(): 358dd65e
           <...>-23550 [001]   735.109218: sys_prctl: get_random_int(): 3e023054

[-- Attachment #3: trace.bin --]
[-- Type: application/octet-stream, Size: 3408 bytes --]

Re: [patch] random: make get_random_int() more random

[Matt Mackall]

On Wed, May 06, 2009 at 10:09:54PM +0200, Ingo Molnar wrote:
> I then ran the FIPS randomness test over the first 20,000 bits [2.5K 
> data], which it passed:

That's proves nothing except that you have no idea what you're talking
about. People regularly break things that FIPS gives flying colors.
FIPS is nothing but a statistical sanity-check.

Do you need this to be publicly broken again by someone who actually knows
something about cryptanalysis before you'll accept that it's a bad
idea? If so, then please move the code out of random.c, so that I
don't have to share in your embarassment a second time.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [patch] random: make get_random_int() more random

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> On Wed, May 06, 2009 at 10:09:54PM +0200, Ingo Molnar wrote:
> > I then ran the FIPS randomness test over the first 20,000 bits [2.5K 
> > data], which it passed:
> 
> That's proves nothing except that you have no idea what you're 
> talking about. People regularly break things that FIPS gives 
> flying colors. FIPS is nothing but a statistical sanity-check.

The current code didnt even pass the FIPS test, due to:

           <...>-1739  [000]   112.487579: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487583: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487584: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487585: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487586: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487588: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487589: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487590: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487592: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487593: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487594: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487595: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487597: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487598: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487599: sys_prctl: get_random_int(): d1f8a190
           <...>-1739  [000]   112.487601: sys_prctl: get_random_int(): d1f8a190

Linus's patch is a marked improvement, and it is really what we need 
here mostly.

We cannot afford true physical randomness (it's too expensive to get 
and not all hw has it), and even a 'good' PRNG is pretty expensive. 
Performance is the main reason why the networking stack has its own 
fast hack.

> Do you need this to be publicly broken again by someone who 
> actually knows something about cryptanalysis before you'll accept 
> that it's a bad idea? If so, then please move the code out of 
> random.c, so that I don't have to share in your embarassment a 
> second time.

I see your flame, but what's your technical point?

	Ingo

Re: [patch] random: make get_random_int() more random

[Matt Mackall]

On Wed, May 06, 2009 at 10:51:45PM +0200, Ingo Molnar wrote:
> Linus's patch is a marked improvement, and it is really what we need 
> here mostly.

No one's arguing that it isn't an improvement. But -15 years of
research- points to MD4 (let alone **half**MD4) being insufficient. To
counter that, two non-cryptanalysts have presented nothing beyond "it
seems strong enough to me" and "it passes a meaningless test". Pardon
me if I'm not satisfied by that.

> We cannot afford true physical randomness (it's too expensive to get 
> and not all hw has it), and even a 'good' PRNG is pretty expensive. 

And what of my suggestion (multiple times now) to replace halfMD4 with
SHA1? Or AES. Or any cryptographic primitive that's not known to be
completely worthless?

-- 
Mathematics is the supreme nostalgia of our time.

Re: [patch] random: make get_random_int() more random

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> On Wed, May 06, 2009 at 10:51:45PM +0200, Ingo Molnar wrote:
> > Linus's patch is a marked improvement, and it is really what we need 
> > here mostly.
> 
> No one's arguing that it isn't an improvement. But -15 years of 
> research- points to MD4 (let alone **half**MD4) being 
> insufficient. To counter that, two non-cryptanalysts have 
> presented nothing beyond "it seems strong enough to me" and "it 
> passes a meaningless test". Pardon me if I'm not satisfied by 
> that.

So is it your point that mixing the cycle counter with a bad hash 
function is not sufficient? Not sufficient in precisely what threat 
model and against what attack vector? I'd like to hear specifics. 
The URLs pasted in this thread were inapposite - they were using 
information leaks from privileged contexts. If you have relevant 
URLs then please share them.

Are you worried about an attacker being able to run analysis code 
locally, trigger get_random_int() and observe its results, and then 
start a privileged context and know its address space layout?

I can tell you with near certainty that if we mix in the cycle 
counter (and those other task local and call local details) that 
then this attack vector is not practical on x86, at all.

( This particular attack would probably not be feasible even if we 
  used rot13 as the hash plus the cycle counter and the other values 
  - although i certainly feel more confident about this argument 
  with half-md4 in place as the hash. )

> > We cannot afford true physical randomness (it's too expensive to 
> > get and not all hw has it), and even a 'good' PRNG is pretty 
> > expensive.
> 
> And what of my suggestion (multiple times now) to replace halfMD4 
> with SHA1? Or AES. Or any cryptographic primitive that's not known 
> to be completely worthless?

They are all rather expensive, while the existing usage pattern for 
get_random_int() is really: "i want some randomness but also want it 
to be fast".

	Ingo

Re: [patch] random: make get_random_int() more random

[Jake Edge]

On Wed, 6 May 2009 22:09:54 +0200 Ingo Molnar wrote:

> Subject: random: make get_random_int() more random
> From: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Tue, 5 May 2009 08:17:43 -0700 (PDT)
> 
> It's a really simple patch that basically just open-codes the current
> "secure_ip_id()" call, but when open-coding it we now use a _static_
> hashing area, so that it gets updated every time.

It seems like this should be queued up for stable, yes?  I just saw the
2.6.29.4 review patches go out, but this wasn't part of it ...

jake

-- 
Jake Edge - LWN - jake@lwn.net - http://lwn.net

Re: [Security] [patch] random: make get_random_int() more random

[Linus Torvalds]

On Thu, 14 May 2009, Jake Edge wrote:
>
> It seems like this should be queued up for stable, yes?  I just saw the
> 2.6.29.4 review patches go out, but this wasn't part of it ...

Well, I was hoping to maybe have actual timing numbers from some better 
hash, in case Matt can make one that is efficient enough. So I committed 
the randomness improvement as a clear _improvement_ over what we had, but 
it may not be the final version.

That said, I guess the same argument can be used for pushing it towards 
stable too. Even if we end up doing something fancier, the patch is 
clearly not any worse than what we have currently.

		Linus

Re: [Security] [patch] random: make get_random_int() more random

[Ingo Molnar]

* Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Thu, 14 May 2009, Jake Edge wrote:
> >
> > It seems like this should be queued up for stable, yes?  I just 
> > saw the 2.6.29.4 review patches go out, but this wasn't part of 
> > it ...
> 
> Well, I was hoping to maybe have actual timing numbers from some 
> better hash, in case Matt can make one that is efficient enough. 
> So I committed the randomness improvement as a clear _improvement_ 
> over what we had, but it may not be the final version.

yep, it was just a quick hack really. If someone can do a stronger 
hash that also happens to be faster i guess we all will be happy 
campers. The performance figures showed room for improvement - how 
well are those hashes optimized? Many thousands of cycles ... is 
that really justified?

> That said, I guess the same argument can be used for pushing it 
> towards stable too. Even if we end up doing something fancier, the 
> patch is clearly not any worse than what we have currently.

Agreed. Havent seen any issues due to it. Jake, mind bouncing the 
commit notification to stable@kernel.org?

	Ingo

Re: [Security] [patch] random: make get_random_int() more random

[Jake Edge]

On Fri, 15 May 2009 15:47:17 +0200 Ingo Molnar wrote:

> Jake, mind bouncing the 
> commit notification to stable@kernel.org?

Not at all, done!

jake

-- 
Jake Edge - LWN - jake@lwn.net - http://lwn.net

Re: [Security] [patch] random: make get_random_int() more random

[Willy Tarreau]

On Fri, May 15, 2009 at 03:47:17PM +0200, Ingo Molnar wrote:
> 
> * Linus Torvalds <torvalds@linux-foundation.org> wrote:
> 
> > On Thu, 14 May 2009, Jake Edge wrote:
> > >
> > > It seems like this should be queued up for stable, yes?  I just 
> > > saw the 2.6.29.4 review patches go out, but this wasn't part of 
> > > it ...
> > 
> > Well, I was hoping to maybe have actual timing numbers from some 
> > better hash, in case Matt can make one that is efficient enough. 
> > So I committed the randomness improvement as a clear _improvement_ 
> > over what we had, but it may not be the final version.
> 
> yep, it was just a quick hack really. If someone can do a stronger 
> hash that also happens to be faster i guess we all will be happy 
> campers. The performance figures showed room for improvement - how 
> well are those hashes optimized? Many thousands of cycles ... is 
> that really justified?

In fact we must keep in mind that those hashes produce far more data
than we need and we're throwing that data to the bin on every call.
If we use SHA1, we get 160 bits. We should save them and return them
by 5 packets of 32 bits, then only call SHA1 once every 5 calls. That
way, we get one slower exec every 5 calls but faster calls on average.

And if we can't get a good hash to be fast enough, let's make this
configurable. Most of us won't ever care about the strength of the
hash. People concerned about security won't care about the slower
hash. If we set the slower hash by default and have a tunable for
it, everyone will have the solution that fits them.

Willy

Re: [Security] [patch] random: make get_random_int() more random

[Ingo Molnar]

* Willy Tarreau <w@1wt.eu> wrote:

> On Fri, May 15, 2009 at 03:47:17PM +0200, Ingo Molnar wrote:
> > 
> > * Linus Torvalds <torvalds@linux-foundation.org> wrote:
> > 
> > > On Thu, 14 May 2009, Jake Edge wrote:
> > > >
> > > > It seems like this should be queued up for stable, yes?  I 
> > > > just saw the 2.6.29.4 review patches go out, but this wasn't 
> > > > part of it ...
> > > 
> > > Well, I was hoping to maybe have actual timing numbers from 
> > > some better hash, in case Matt can make one that is efficient 
> > > enough. So I committed the randomness improvement as a clear 
> > > _improvement_ over what we had, but it may not be the final 
> > > version.
> > 
> > yep, it was just a quick hack really. If someone can do a 
> > stronger hash that also happens to be faster i guess we all will 
> > be happy campers. The performance figures showed room for 
> > improvement - how well are those hashes optimized? Many 
> > thousands of cycles ... is that really justified?
> 
> In fact we must keep in mind that those hashes produce far more 
> data than we need and we're throwing that data to the bin on every 
> call. If we use SHA1, we get 160 bits. We should save them and 
> return them by 5 packets of 32 bits, then only call SHA1 once 
> every 5 calls. That way, we get one slower exec every 5 calls but 
> faster calls on average.

Good idea ...

> And if we can't get a good hash to be fast enough, let's make this 
> configurable. Most of us won't ever care about the strength of the 
> hash. People concerned about security won't care about the slower 
> hash. If we set the slower hash by default and have a tunable for 
> it, everyone will have the solution that fits them.

Bad idea IMHO ...

It is a bad idea because such sort of tunables do not really help 
the user as those who tweak are a distinct minority.

Also, having a two-way hack _hinders_ your good idea from being 
adopted for example. Why bother with a faster hash and with using 
the resulting bits sparingly if we can get an 'easy' tunable in and 
can have two sub-par solutions instead of one (harder to implement) 
good solution?

So tunables are really counter-productive - and this is a pet peeve 
of mine.

Every time we have such a tunable for something fundamental we've 
not improved the kernel, we've documented a _failure_ in kernel 
design and implementation.

Sure, we do use tunables for physical constants, limits and other 
natural parameters - and _sometimes_ we just grudingly admit defeat 
and admit that something is really impossible to implement. IMHO 
here we are not at that point yet, at all.

	Ingo

Re: [Security] [patch] random: make get_random_int() more random

[Eric W. Biederman]

Ingo Molnar <mingo@elte.hu> writes:

> * Willy Tarreau <w@1wt.eu> wrote:
>
>
> Bad idea IMHO ...
>
> It is a bad idea because such sort of tunables do not really help 
> the user as those who tweak are a distinct minority.
>
> Also, having a two-way hack _hinders_ your good idea from being 
> adopted for example. Why bother with a faster hash and with using 
> the resulting bits sparingly if we can get an 'easy' tunable in and 
> can have two sub-par solutions instead of one (harder to implement) 
> good solution?
>
> So tunables are really counter-productive - and this is a pet peeve 
> of mine.
>
> Every time we have such a tunable for something fundamental we've 
> not improved the kernel, we've documented a _failure_ in kernel 
> design and implementation.
>
> Sure, we do use tunables for physical constants, limits and other 
> natural parameters - and _sometimes_ we just grudingly admit defeat 
> and admit that something is really impossible to implement. IMHO 
> here we are not at that point yet, at all.

In the lwn comment section there was a suggestion to use a high
quality stream cipher (AES?) instead of sha1 or the half md4 thing.
Apparently those should be both stronger and faster.

I don't know enough about it except to say that sounds right in
principle.

Apparently some of the BSDs do something similar with arc4random.
arc4 is old and in some case broken so it is unlikely to make a good
choice at this point, but the overall design of a stream cipher
that is rekeyed ever 5 minutes seems sound.

Eric

Re: [Security] [patch] random: make get_random_int() more random

[Michael S. Zick]

On Sat May 16 2009, Eric W. Biederman wrote:
> Ingo Molnar <mingo@elte.hu> writes:
> 
> > * Willy Tarreau <w@1wt.eu> wrote:
> >
> >
> > Bad idea IMHO ...
> >
> > It is a bad idea because such sort of tunables do not really help 
> > the user as those who tweak are a distinct minority.
> >
> > Also, having a two-way hack _hinders_ your good idea from being 
> > adopted for example. Why bother with a faster hash and with using 
> > the resulting bits sparingly if we can get an 'easy' tunable in and 
> > can have two sub-par solutions instead of one (harder to implement) 
> > good solution?
> >
> > So tunables are really counter-productive - and this is a pet peeve 
> > of mine.
> >
> > Every time we have such a tunable for something fundamental we've 
> > not improved the kernel, we've documented a _failure_ in kernel 
> > design and implementation.
> >
> > Sure, we do use tunables for physical constants, limits and other 
> > natural parameters - and _sometimes_ we just grudingly admit defeat 
> > and admit that something is really impossible to implement. IMHO 
> > here we are not at that point yet, at all.
> 
> In the lwn comment section there was a suggestion to use a high
> quality stream cipher (AES?) instead of sha1 or the half md4 thing.
> Apparently those should be both stronger and faster.
> 
> I don't know enough about it except to say that sounds right in
> principle.
> 
> Apparently some of the BSDs do something similar with arc4random.
> arc4 is old and in some case broken so it is unlikely to make a good
> choice at this point, but the overall design of a stream cipher
> that is rekeyed ever 5 minutes seems sound.
> 
> Eric
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
> 

And when building for the VIA processors that have the
hardware rng in the padlock firmware - -
Let the kernel use that for a high quality RNG.

Note: This may require a Kbuild tweak to force the via-rng
driver to be built-in if this solution is selected.

PS: I have two (different) VIA C7-M machines available for testing.

Mike

Re: [Security] [patch] random: make get_random_int() more random

[Michael S. Zick]

On Sat May 16 2009, Michael S. Zick wrote:
> On Sat May 16 2009, Eric W. Biederman wrote:
> > Ingo Molnar <mingo@elte.hu> writes:
> > 
> > > * Willy Tarreau <w@1wt.eu> wrote:
> > >
> > >
> > > Bad idea IMHO ...
> > >
> > > It is a bad idea because such sort of tunables do not really help 
> > > the user as those who tweak are a distinct minority.
> > >
> > > Also, having a two-way hack _hinders_ your good idea from being 
> > > adopted for example. Why bother with a faster hash and with using 
> > > the resulting bits sparingly if we can get an 'easy' tunable in and 
> > > can have two sub-par solutions instead of one (harder to implement) 
> > > good solution?
> > >
> > > So tunables are really counter-productive - and this is a pet peeve 
> > > of mine.
> > >
> > > Every time we have such a tunable for something fundamental we've 
> > > not improved the kernel, we've documented a _failure_ in kernel 
> > > design and implementation.
> > >
> > > Sure, we do use tunables for physical constants, limits and other 
> > > natural parameters - and _sometimes_ we just grudingly admit defeat 
> > > and admit that something is really impossible to implement. IMHO 
> > > here we are not at that point yet, at all.
> > 
> > In the lwn comment section there was a suggestion to use a high
> > quality stream cipher (AES?) instead of sha1 or the half md4 thing.
> > Apparently those should be both stronger and faster.
> > 
> > I don't know enough about it except to say that sounds right in
> > principle.
> > 
> > Apparently some of the BSDs do something similar with arc4random.
> > arc4 is old and in some case broken so it is unlikely to make a good
> > choice at this point, but the overall design of a stream cipher
> > that is rekeyed ever 5 minutes seems sound.
> > 
> > Eric
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
> > 
> > 
> 
> And when building for the VIA processors that have the
> hardware rng in the padlock firmware - -
> Let the kernel use that for a high quality RNG.
> 
> Note: This may require a Kbuild tweak to force the via-rng
> driver to be built-in if this solution is selected.
> 
> PS: I have two (different) VIA C7-M machines available for testing.
>

Still getting kernel messages that there isn't a test for the rng - -
One (of many) ways to test the quality is to submit a bit string sample
to the Berlekamp-Massey algorithm; perhaps from repeated calls to the
generation function (it depends on your desired confidence level).

http://en.wikipedia.org/wiki/Berlekamp-Massey_algorithm 

If the solution is greater than a xyz bits long LFSR, the randomness 
is considered "good enough".

Note: The padlock firmware also has a Montgomery multiplier not yet 
exposed by a driver.

Mike
> Mike
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
> 

Re: [Security] [patch] random: make get_random_int() more random

[Arjan van de Ven]

On Sat, 16 May 2009 09:28:16 -0500
"Michael S. Zick" <lkml@morethan.org> wrote:
> 
> Still getting kernel messages that there isn't a test for the rng - -
> One (of many) ways to test the quality is to submit a bit string
> sample to the Berlekamp-Massey algorithm; perhaps from repeated calls
> to the generation function (it depends on your desired confidence
> level).
> 

or we bite the bullet and implement the Fortuna PRNG algorithm
and feed it as much as we can, rather than caring if any if the sources
is not 100.000% perfect.

-- 
Arjan van de Ven 	Intel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

Re: [Security] [patch] random: make get_random_int() more random

[Michael S. Zick]

On Sat May 16 2009, Arjan van de Ven wrote:
> On Sat, 16 May 2009 09:28:16 -0500
> "Michael S. Zick" <lkml@morethan.org> wrote:
> > 
> > Still getting kernel messages that there isn't a test for the rng - -
> > One (of many) ways to test the quality is to submit a bit string
> > sample to the Berlekamp-Massey algorithm; perhaps from repeated calls
> > to the generation function (it depends on your desired confidence
> > level).
> > 
> 
> or we bite the bullet and implement the Fortuna PRNG algorithm
> and feed it as much as we can, rather than caring if any if the sources
> is not 100.000% perfect.
> 

A reasonable cross-platform solution.
I just had to ping for supporting the VIA specific hardware solution.

Mike

Re: [Security] [patch] random: make get_random_int() more random

[Matt Mackall]

On Sat, May 16, 2009 at 05:02:42AM -0700, Eric W. Biederman wrote:
> Ingo Molnar <mingo@elte.hu> writes:
> 
> > * Willy Tarreau <w@1wt.eu> wrote:
> >
> >
> > Bad idea IMHO ...
> >
> > It is a bad idea because such sort of tunables do not really help 
> > the user as those who tweak are a distinct minority.
> >
> > Also, having a two-way hack _hinders_ your good idea from being 
> > adopted for example. Why bother with a faster hash and with using 
> > the resulting bits sparingly if we can get an 'easy' tunable in and 
> > can have two sub-par solutions instead of one (harder to implement) 
> > good solution?
> >
> > So tunables are really counter-productive - and this is a pet peeve 
> > of mine.
> >
> > Every time we have such a tunable for something fundamental we've 
> > not improved the kernel, we've documented a _failure_ in kernel 
> > design and implementation.
> >
> > Sure, we do use tunables for physical constants, limits and other 
> > natural parameters - and _sometimes_ we just grudingly admit defeat 
> > and admit that something is really impossible to implement. IMHO 
> > here we are not at that point yet, at all.
> 
> In the lwn comment section there was a suggestion to use a high
> quality stream cipher (AES?) instead of sha1 or the half md4 thing.
> Apparently those should be both stronger and faster.

Yes, this is something we've discussed. Unlike AES, the two hashes
we've been discussing are readily available in the kernel without
requiring cryptoapi.

It's also unclear that encrypting small blocks with software AES is
actually a performance win relative to SHA1, once you look at the key
scheduling overhead and the cache footprint of its s-boxes.

-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [patch] random: make get_random_int() more random

[Willy Tarreau]

On Sat, May 16, 2009 at 12:39:09PM +0200, Ingo Molnar wrote:
> > And if we can't get a good hash to be fast enough, let's make this 
> > configurable. Most of us won't ever care about the strength of the 
> > hash. People concerned about security won't care about the slower 
> > hash. If we set the slower hash by default and have a tunable for 
> > it, everyone will have the solution that fits them.
> 
> Bad idea IMHO ...
> 
> It is a bad idea because such sort of tunables do not really help 
> the user as those who tweak are a distinct minority.
> 
> Also, having a two-way hack _hinders_ your good idea from being 
> adopted for example. Why bother with a faster hash and with using 
> the resulting bits sparingly if we can get an 'easy' tunable in and 
> can have two sub-par solutions instead of one (harder to implement) 
> good solution?
> 
> So tunables are really counter-productive - and this is a pet peeve 
> of mine.
> 
> Every time we have such a tunable for something fundamental we've 
> not improved the kernel, we've documented a _failure_ in kernel 
> design and implementation.

I don't agree with your point. It is good when the user must choose
between performance and security. For instance, if we had to choose
between a very slow but secure TCP stack and a very fast but less
secure one, instead of making it half way for everyone, I'd prefer
to be able to select my usage. You see this in Solaris with their
tcp_strong_iss tunable (which provides more values than needed, as
people only use either 0 (fast) or 2 (secure)).

As long as we're not forced to choose between the two possibilities,
we don't need a tunable, but if we are forced to slow down exec by
20%, surely there are people who would prefer to ignore the security
aspect and keep their original performance.

Willy

Re: [Security] [patch] random: make get_random_int() more random

[Linus Torvalds]

On Sat, 16 May 2009, Willy Tarreau wrote:
> 
> I don't agree with your point. It is good when the user must choose
> between performance and security.

Well, quite frankly, historically "get_random_int()" has been exactly 
that.

It's based very much on top of the random number generator for networking, 
where performance was a primary goal. It's why the code has that 
re-seeding with "real" randomness that happens once a minute (or 
whatever): exactly because "real" randomness was too expensive (and would 
deplete the entropy pool).

So "get_random_int()" has _always_ been about a choice between performance 
and security. Ok, it's not been a "user" choice, but the thing is, most 
users really aren't capable of that choice - they may not think they care, 
until they get hacked (and not even necessarily then - the _bulk_ of 
hacked computers probably end up being used for DDoS kind of things, so 
the user itself is not even the primary target).

So I don't think that there are "insecure" and "secure" users - yes, 
there are people who care more, and people who care less, but we need to 
protect the people who care less even just to protect the people who care 
more ;)

But there very much _are_ performance vs "strength of hash" issues. And 
historically, "get_random_int()" has leaned towards the performance thing. 
It's just that it had a really outrageously stupid weakness that wasn't 
even really helping performance.

I think we've fixed the "outrageously stupid" part. It would certainly be 
good to make it even better.

And yes, giving out more of our pool (by remembering which part we've 
already given out) would make it possible to use a more expensive hash.

But at the same time, I personally suspect that it would be _much_ easier 
to attack the hash if we actually gave out the whole 16 bytes (over 
several iteration), when compared to what we do now (only give out a small 
part and then re-hash). I can't back that up with any proofs, though, but 
I suspect it's much harder to re-generate the hash if you never see more 
than a very small part of the output.

(That's especially true since whatever we do, the _one_ thing we can never 
do is to actually hide what hash we use. We can hide the data, but we 
can't hide the code. Others depend on also making it harder to guess 
even what the algorithm for the hash itself is).

			Linus

Re: [Security] [patch] random: make get_random_int() more random

[Willy Tarreau]

On Sat, May 16, 2009 at 08:23:11AM -0700, Linus Torvalds wrote:
> But at the same time, I personally suspect that it would be _much_ easier 
> to attack the hash if we actually gave out the whole 16 bytes (over 
> several iteration), when compared to what we do now (only give out a small 
> part and then re-hash). I can't back that up with any proofs, though, but 
> I suspect it's much harder to re-generate the hash if you never see more 
> than a very small part of the output.

if we use incremental values (such as modulus after a multiply), yes. But
SHA1 is not know yet to be easily reversible. I mean, it's not because you
can read the 160 bits of a hash which corresponds to a stupid counter that
you can guess the next 160 bits you will get. Of course the "stupid counter"
I'm speaking about must include some randomness itself so that it does not
end up with a small set of finite elements. But I'm not worried at all about
giving out all of the 160 bits of an SHA1 result.

Willy

Re: [Security] [patch] random: make get_random_int() more random

[Oliver Neukum]

Am Samstag, 16. Mai 2009 17:23:11 schrieb Linus Torvalds:
> (That's especially true since whatever we do, the _one_ thing we can never
> do is to actually hide what hash we use. We can hide the data, but we
> can't hide the code. Others depend on also making it harder to guess
> even what the algorithm for the hash itself is).

Why can't we implement more than one hash and choose at boot time?
Or even change the hash on the fly? That's not as good as a secret
algorithm, but the attacker would have to guess which is used.

	Regards
		Oliver

Re: [Security] [patch] random: make get_random_int() more random

[Linus Torvalds]

On Sat, 16 May 2009, Oliver Neukum wrote:
> 
> Why can't we implement more than one hash and choose at boot time?
> Or even change the hash on the fly? That's not as good as a secret
> algorithm, but the attacker would have to guess which is used.

There's never really any point in just expanding the search space by some 
small factor. You want to expand the search space _exponentially_, not by 
just making it "three times harder".

Small factors are meaningless, because it's just going to cut down your 
success rate (well, in this case "failure rate" depending on which side 
you're on) by a small constant factor.

So "one of X known functions" does not help - it's a small constant 
factor, and you're likely _much_ better off instead just adding a couple 
of bits of hash space or entropy instead, which also makes things harder. 

Hashing in the TSC, for example, when possible, is a _lot_ more effective: 
even if the attacker can easily get a close estimation of roughly where 
the TSC is, in practice it's going to add a couple of bits of effectively 
random data on each iteration, and as such is much more powerful than 
adding a couple of bits of effectively random data just once at bootup.

What people often do is to use multiple hashes, but not select among them, 
but run them sequentially over the same data - so that if one hash is 
broken, the combination is not. And even if all hashes are broken, it's 
quite likely that the combination is much harder to break (and not by a 
small constant factor, but potentially a multiplicative cost of each 
individual hash breakage - so as long as breaking each hash isn't some 
_trivial_ O(1) thing, doing sequential hashing can add real security).

Of course, doing the sequential hashes isn't exactly good for performance ;)

			Linus

Re: [Security] [patch] random: make get_random_int() more random

[Linus Torvalds]

On Sat, 16 May 2009, Linus Torvalds wrote:
>
> So "one of X known functions" does not help

Side note - here the keyword is "X known functions". If the function 
simply isn't known at all, you've now made it harder by a _much_ higher 
factor. If the function is any good (ie doesn't leave any patterns to 
guess what function it is), you really basically have to first solve that 
independent problem.

And the space of possible functions is pretty damn large, even if you 
start with some assumption ("some combination of known good cryptographic 
hashes + some unknown seeding algorithm and data").

So practically speaking, nobody ever cracks those things without somehow 
decoding the function itself (through doing something like disassembling 
obfuscated code).

				Linus

Re: [patch] random: make get_random_int() more random

[Américo Wang]

On Thu, May 7, 2009 at 4:09 AM, Ingo Molnar <mingo@elte.hu> wrote:
>
> * Linus Torvalds <torvalds@linux-foundation.org> wrote:
>
>> On Wed, 6 May 2009, Matt Mackall wrote:
>>
>> > On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
>>
>> > > (Also, obviously "only" covering 95% of the Linux systems has
>> > > its use as well. Most other architectures have their own cycle
>> > > counters as well.)
>> >
>> > X86 might be 95% of desktop. But it's a small fraction of Linux
>> > systems once you count cell phones, video players, TVs, cameras,
>> > GPS devices, cars, routers, etc. almost none of which are
>> > x86-based. In fact, just Linux cell phones (with about an 8%
>> > share of a 1.2billion devices per year market) dwarf Linux
>> > desktops (maybe 5% of a 200m/y market).
>>
>> Matt, are you willing to ack my suggested patch which adds history
>> to the mix? Did somebody test that? I have this memory of there
>> being an "exploit" program to show the non-randomness of the
>> values, but I can't recall details, and would really want to get a
>> second opinion from somebody who cares about PRNG's.
>
> I tested it, and besides booting up fine, i also tested the
> get_random_int() randomness. I did this by adding this quick
> trace_printk() line:
>
>   trace_printk("get_random_int(): %08x\n", get_random_int());
>
> to sys_prctl() and triggered sys_prctl() in a loop, which gave a
> list of get_random_int() numbers:
>
> # tracer: nop
> #
> #           TASK-PID    CPU#    TIMESTAMP  FUNCTION
> #              | |       |          |         |
>           <...>-6288  [000]   618.151323: sys_prctl: get_random_int(): 2e927f66
>           <...>-6290  [000]   618.152924: sys_prctl: get_random_int(): d210df1f
>           <...>-6293  [000]   618.155326: sys_prctl: get_random_int(): 753ad860
>           <...>-6295  [000]   618.156939: sys_prctl: get_random_int(): c74d935f
>           <...>-6298  [000]   618.159334: sys_prctl: get_random_int(): bb4e7597
>           <...>-6300  [000]   618.160936: sys_prctl: get_random_int(): b0119885
>           <...>-6303  [000]   618.163331: sys_prctl: get_random_int(): 093f5c70
>

I used systemtap to test this patch too, the result is too obvious. :-)
Samples of output are the following:

==before this patch==
get_random_int returns: f3f71569
get_random_int returns: f3f71569
get_random_int returns: f3f71569
get_random_int returns: f3f71569
get_random_int returns: f3f71569
get_random_int returns: f3f71569
get_random_int returns: c3e650c8
get_random_int returns: c3e650c8
get_random_int returns: c3e650c8
get_random_int returns: c3e650c8
get_random_int returns: c3e650c8
get_random_int returns: c3e650c8

==after this patch==
get_random_int returns: b7566a5b
get_random_int returns: f4b86171
get_random_int returns: 25dd8fd8
get_random_int returns: 58ab81ce
get_random_int returns: f39dbcb2
get_random_int returns: cbf308f9
get_random_int returns: 32d9c09e
get_random_int returns: 4eedfcad
get_random_int returns: fe87cb99
get_random_int returns: 1bd42857
get_random_int returns: 837cf921
get_random_int returns: d9a39d80


Hope this helps.

Thanks!

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Ingo Molnar]

* Matt Mackall <mpm@selenic.com> wrote:

> On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
> > (Also, obviously "only" covering 95% of the Linux systems has its 
> > use as well. Most other architectures have their own cycle counters 
> > as well.)
> 
> X86 might be 95% of desktop. But it's a small fraction of Linux 
> systems once you count cell phones, video players, TVs, cameras, 
> GPS devices, cars, routers, etc. almost none of which are 
> x86-based. In fact, just Linux cell phones (with about an 8% share 
> of a 1.2billion devices per year market) dwarf Linux desktops 
> (maybe 5% of a 200m/y market).

Firstly, the cycle counter is just one out of several layers there. 
So it's a hyperbole to suggest that i'm somehow not caring about 
architectures that dont have a cycle counter. I'm simply making use 
of a cheaply accessed and fast-changing variable on hw that has it.

Also, are those systems really going to be attacked locally, 
brute-forcing a PRNG? Servers and desktops are the more likely 
targets. They both have the necessary computing power to run 
statistical analysis locally fast enough and have an actual value to 
be attacked.

And, even if we ignored those factors, ad argumendo, you would still 
be wrong IMHO: what matters really in this context isnt even any 
artificial 'share' metric - but the people willing to improve and 
fix the upstream kernel, and the reasons why they do that, and the 
platforms they use.

And amongst our contributors and testers, willing to run and improve 
the latest upstream kernel, x86 has a larger than 95% share. Look at 
kerneloops.org stats. Or bugzilla. Or lkml.

If embedded matters that much, make it show up as a real factor on 
those upstream forums. Lets call this Ingo's Law: if something 
doesnt improve the upstream kernel, directly or indirectly, it does 
not exist ;-)

	Ingo

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Matt Mackall]

On Wed, May 06, 2009 at 10:25:17PM +0200, Ingo Molnar wrote:
> 
> * Matt Mackall <mpm@selenic.com> wrote:
> 
> > On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
> > > (Also, obviously "only" covering 95% of the Linux systems has its 
> > > use as well. Most other architectures have their own cycle counters 
> > > as well.)
> > 
> > X86 might be 95% of desktop. But it's a small fraction of Linux 
> > systems once you count cell phones, video players, TVs, cameras, 
> > GPS devices, cars, routers, etc. almost none of which are 
> > x86-based. In fact, just Linux cell phones (with about an 8% share 
> > of a 1.2billion devices per year market) dwarf Linux desktops 
> > (maybe 5% of a 200m/y market).
> 
> Firstly, the cycle counter is just one out of several layers there. 
> So it's a hyperbole to suggest that i'm somehow not caring about 
> architectures that dont have a cycle counter. I'm simply making use 
> of a cheaply accessed and fast-changing variable on hw that has it.

Whatever, I've never argued against TSC being beneficial. But it sure
as hell is not sufficient. Your original claim that this attack was
not possible in your original code: still bogus.
 
> Also, are those systems really going to be attacked locally, 
> brute-forcing a PRNG? 

Yes[1], even though my point was mostly to shoot down your bogus
statistic for reasons unrelated to this discussion. If you want to
make a new claim that '95% of Linux systems interesting to Ingo are
x86', I won't argue with that.

[1] 95% of security holes are caused by developer failures of imagination.
-- 
Mathematics is the supreme nostalgia of our time.

Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Andi Kleen]

Matt Mackall <mpm@selenic.com> writes:
>
> Looking forward:
>
> A faster-but-weakened RNG for ASLR (and similar purposes) 

We really need it for the user space interface too, right now
recent glibc drains your entropy pool on every exec, and worse
recent kernels drain it now even with old glibc too. So any
system which doesn't have a active high frequency random number
source (which is most systems) doesn't have much real entropy
left for the applications that really need it.

-Andi (who always thought it was a bad idea to let ASLR weaken
your SSL/SSH session keys)

-- 
ak@linux.intel.com -- Speaking for myself only.