From: Kees Cook <keescook@chromium.org>
To: "Theodore Ts'o" <tytso@mit.edu>, PaX Team <pageexec@freemail.hu>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
David Brown <david.brown@linaro.org>,
emese Revfy <re.emese@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Brad Spengler <spender@grsecurity.net>,
Michal Marek <mmarek@suse.com>, Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
linux-kbuild <linux-kbuild@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>, Jens Axboe <axboe@kernel.dk>,
Al Viro <viro@zeniv.linux.org.uk>,
Paul McKenney <paulmck@linux.vnet.ibm.com>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
bart.vanassche@sandisk.com,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [kernel-hardening] Re: [PATCH v2 1/3] Add the latent_entropy gcc plugin
Date: Thu, 9 Jun 2016 13:08:53 -0700 [thread overview]
Message-ID: <CAGXu5jJHE8LHdG2_j8L_LfraqMmCpwMiyeEMav7pxoKBR0_GCQ@mail.gmail.com> (raw)
In-Reply-To: <20160609195533.GE5421@thunk.org>
On Thu, Jun 9, 2016 at 12:55 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> On Thu, Jun 09, 2016 at 07:22:29PM +0200, PaX Team wrote:
>> > Well, the attacker can't control when the interrupts happen, but it
>> > could try to burn power by simply having a thread spin in an infinite
>> > loop ("0: jmp 0"), sure.
>>
>> yes, that's one obvious way to accomplish it but even normal applications can
>> behave in a similar way, think about spinning event loops, media decoding, etc
>> whose sampled insn ptrs may provide less entropy than they get credited for.
>
> Sure, as long as we're assuming less than one bit of entropy per
> interrupt, even for a loop which which is:
>
> 1: cmpl $1, -8(%rsp)
> jz 1b
>
> there would still be *some* uncertainty. And with an event loop there
> would be more instructions to sample. Granted, the number of cycles
> spent in each will be different, so there will be some biasing, but
> that's one of the reason why we've been using 1/64 bit per interrupt.
>
>> yes, no entropy is credited since i don't know how much there is and i tend to err
>> on the side of safety which means crediting 0 entropy for latent entropy. of course
>> the expectation is that it's not actually 0 but to prove any specific value or limit
>> is beyond my skills at least.
>
> Sure, that's fair.
>
>> i think it's not just per 64 interrupts but also after each elapsed second (i.e.,
>> whichever condition occurs first), so on an idle system (which i believe is more
>> likely to occur on exactly those small systems that the referenced paper was concerned
>> about) the credited entropy could be overestimated.
>
> That's a fair concern. It might be that we should enforce some
> minimum (at least 8 interrupts in all cases), but this is where it's
> all about hueristics, especially on those systems that don't have random_get_entropy().
>
>> > In practice, on most modern CPU where we have a cycle counter,
>>
>> a quick check for get_cycles shows that at least these archs seem to return 0:
>> arc, avr32, cris, frv, m32r, m68k, xtensa. now you may not think of them as modern,
>> but they're still used in real life devices. i think that latent entropy is still
>> an option on them.
>
> It's possible for a system not to have a cycle counter, but to have
> something that can be used instead for random_get_entropy. That's
> only being used for the m68k/amiga and mips/R6000[A] cases, but I keep
> hoping that the archiecture maintainers for osme of these other
> oddball platform (is that better than "non-modern"? :-) will come up
> with something, but yes, it is those platforms where I've always been
> the most worried. On the one hand, if the hardware is crap, there's
> very little you can do. Unfortnuately, very often these crap
> architectures have a very low BOM cost, so they are most likely to be
> used in IOT devices. :-(
>
> One could try to claim that these IOT devics won't have upgradeable
> firmware and, so they'll probably be security disasters even without a
> good random number generators, but oddly, that doesn't give me much
> solace...
>
> And in the end, that may be the strongest argment for the
> latent_entropy plugin. Even if it doesn't provide a lot of extra
> entropy, on those platforms we're going to be so starved of real
> entropy that almost anything will be better than what we have today.
Yeah, that's been my thinking around this. And on more sane systems,
using latent_entropy doesn't make things worse. :)
-Kees
--
Kees Cook
Chrome OS & Brillo Security
next prev parent reply other threads:[~2016-06-09 20:09 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 23:30 [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Emese Revfy
2016-05-30 23:31 ` [PATCH v2 1/3] Add " Emese Revfy
2016-06-01 19:42 ` Andrew Morton
2016-06-03 17:42 ` Emese Revfy
2016-06-06 13:38 ` [kernel-hardening] " David Brown
2016-06-06 15:50 ` Kees Cook
2016-06-06 19:30 ` PaX Team
2016-06-06 23:13 ` Theodore Ts'o
2016-06-07 12:19 ` PaX Team
2016-06-07 13:58 ` Theodore Ts'o
2016-06-09 17:22 ` PaX Team
2016-06-09 19:55 ` Theodore Ts'o
2016-06-09 20:08 ` Kees Cook [this message]
2016-06-09 21:51 ` Kees Cook
2016-06-13 21:49 ` Emese Revfy
2016-06-14 18:27 ` Kees Cook
2016-06-14 22:31 ` Emese Revfy
2016-05-30 23:32 ` [PATCH v2 2/3] Mark functions with the latent_entropy attribute Emese Revfy
2016-05-30 23:34 ` [PATCH v2 3/3] Add the extra_latent_entropy kernel parameter Emese Revfy
2016-06-09 21:18 ` [PATCH v2 0/3] Introduce the latent_entropy gcc plugin Kees Cook
2016-06-09 23:33 ` Emese Revfy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jJHE8LHdG2_j8L_LfraqMmCpwMiyeEMav7pxoKBR0_GCQ@mail.gmail.com \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@sandisk.com \
--cc=davem@davemloft.net \
--cc=david.brown@linaro.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=mmarek@suse.com \
--cc=pageexec@freemail.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=re.emese@gmail.com \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).