From: Andi Kleen <andi@firstfloor.org>
To: Kees Cook <kees.cook@canonical.com>
Cc: Andi Kleen <andi@firstfloor.org>,
Roland McGrath <roland@redhat.com>,
linux-kernel@vger.kernel.org, Jakub Jelinek <jakub@redhat.com>,
Ulrich Drepper <drepper@redhat.com>,
libc-alpha@sourceware.org
Subject: Re: [PATCH] ELF: implement AT_RANDOM for future glibc use
Date: Tue, 7 Oct 2008 01:28:10 +0200 [thread overview]
Message-ID: <20081006232810.GP3180@one.firstfloor.org> (raw)
In-Reply-To: <20081006220759.GM10357@outflux.net>
On Mon, Oct 06, 2008 at 03:07:59PM -0700, Kees Cook wrote:
> On Mon, Oct 06, 2008 at 09:26:41PM +0200, Andi Kleen wrote:
> > > We're already using get_random* for stack, heap, and brk. Also,
> > > get_random* uses the nonblocking pool, so this is the same as if userspace
> > > had tried to pull bytes out of /dev/urandom, which (as I understand it)
> >
> > Yes exactly that's the problem. Think about it: do you really
> > need the same cryptographic strength for your mmap placement
> > as you need for your SSL session keys?
> >
> > And if you need true entropy for your session keys do you
> > still get it when it was all used for low security
> > purposes first?
>
> Off-list I was just shown random32(). If AT_RANDOM used that instead,
> would that be acceptable?
random32() is not a cryptographically strong RNG. I suspect it would
be pretty easy to reverse engineer its seed given some state. It hasn't
been designed to be protected against that.
While I suspect this wouldn't be a serious threat to the security
model for mmap (to break the mmap placement you would still need quite a lot of
addresses before you can predict some and I presume most apps do not leak
addresses) it would seem unnecessarily
weak to me because using a better algorithm is not very costly.
Also it might be a problem for some of the other potential users.
cryptographically strong RNGs are especially designed to make this
reverse engineering of the state hard.
Simple ones can be just a cryptographic hash + counter + secret or
the same with a encryption algorithm like AES, but there are
also algorithms who are especially designed for this like yarrow/fortuna
See
http://en.wikipedia.org/wiki/Cryptographically_secure_pseudo-random_number_generator
-Andi
--
ak@linux.intel.com
next prev parent reply other threads:[~2008-10-06 23:25 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20081001201116.GD12527@outflux.net>
[not found] ` <48E3EFD6.2010704@redhat.com>
[not found] ` <20081001215657.GH12527@outflux.net>
[not found] ` <20081001220948.GC32107@sunsite.ms.mff.cuni.cz>
[not found] ` <20081001222706.68E7E1544B4@magilla.localdomain>
2008-10-03 0:16 ` [PATCH] ELF: implement AT_RANDOM for future glibc use Kees Cook
2008-10-03 0:43 ` Jakub Jelinek
2008-10-03 5:25 ` Kees Cook
2008-10-03 5:29 ` Kees Cook
2008-10-03 5:57 ` Arjan van de Ven
2008-10-03 6:25 ` Ulrich Drepper
2008-10-03 14:50 ` [PATCH] ELF: implement AT_RANDOM for glibc PRNG seeding Kees Cook
2008-10-03 14:56 ` Ulrich Drepper
2008-10-03 14:57 ` Jakub Jelinek
2008-10-03 17:33 ` Kees Cook
2008-10-03 17:41 ` Ulrich Drepper
2008-10-03 17:59 ` [PATCH v5] " Kees Cook
2008-10-18 5:42 ` Ulrich Drepper
2008-10-21 20:01 ` Andrew Morton
2008-10-21 20:22 ` Ulrich Drepper
2008-10-27 5:46 ` Andrew Morton
2008-10-03 0:52 ` [PATCH] ELF: implement AT_RANDOM for future glibc use Roland McGrath
2008-10-03 5:15 ` Kees Cook
2008-10-03 20:22 ` Roland McGrath
2008-10-06 6:00 ` Andi Kleen
2008-10-06 17:50 ` Kees Cook
2008-10-06 18:25 ` David Wagner
2008-10-06 20:23 ` Andi Kleen
2008-10-06 22:16 ` David Wagner
2008-10-06 19:26 ` Andi Kleen
2008-10-06 22:01 ` Kees Cook
2008-10-06 23:19 ` Andi Kleen
2008-10-06 23:29 ` Kees Cook
2008-10-06 23:44 ` Andi Kleen
2008-10-06 22:07 ` Kees Cook
2008-10-06 23:28 ` Andi Kleen [this message]
2008-10-06 23:58 ` Roland McGrath
2008-10-07 0:08 ` Ulrich Drepper
2008-10-07 0:31 ` Kees Cook
2008-10-07 0:57 ` Ulrich Drepper
2008-10-07 1:44 ` Kees Cook
2008-10-07 1:51 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081006232810.GP3180@one.firstfloor.org \
--to=andi@firstfloor.org \
--cc=drepper@redhat.com \
--cc=jakub@redhat.com \
--cc=kees.cook@canonical.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.