From: John Reiser <jreiser@BitWagon.com>
To: Theodore Tso <tytso@mit.edu>
Cc: Matt Mackall <mpm@selenic.com>,
linux-kernel@vger.kernel.org, security@kernel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data
Date: Mon, 17 Dec 2007 08:30:05 -0800 [thread overview]
Message-ID: <4766A40D.4080804@BitWagon.com> (raw)
In-Reply-To: <20071215043208.GF17344@thunk.org>
Theodore Tso wrote:
> On Fri, Dec 14, 2007 at 04:30:08PM -0800, John Reiser wrote:
>
>>There is a path that goes from user data into the pool.
Note particularly that the path includes data from other users.
Under the current implementation, anyone who accesses /dev/urandom
is subject to having some bytes from their address space being captured
and mixed into the pool.
>> This path
>>is subject to manipulation by an attacker, for both reading and
>>writing. Are you going to guarantee that in five years nobody
>>will discover a way to take advantage of it?
> Yep, I'm confident about making such a guarantee. Very confident.
A direct attack (determining the specific values or partial values
of some captured bytes) is not the only way to steal secrets.
An indirect attack, such as traffic analysis, also may be effective.
Here is one idea. Use output from /dev/urandom to generate a random
permutation group. Analyze the group: determine all its subgroups, etc.
If the structure of those groups has different properties depending
on the captured bytes, even after SHA1 and folding and twisting,
then that may be enough to help steal secrets.
Indirect attacks may be subject to "exponent doubling." The state
modulo 2**(2n) may correspond to a system of 2**n congruences
in 2**n variables. So a property modulo 2**n might be hoisted to a
related property modulo 2**(2n). This might make 2**1024 seem to be
not so big.
Also, "getting lucky" is allowed, both via initial conditions and
via other coincidences. Running on a newly-booted, newly-installed
system might be especially advantageous. A completely formal
Goedel-numbering proof often has a formal checker that is logarithmic
in the length of the proof. If such a logarithmic property applies
every once in a while to /dev/urandom, then that might be enough.
The bottom line: At a cost of at most three unpredictable branches
(whether to clear the bytes in the last word with indices congruent
to 1, 2, or 3 modulo 4), then the code can reduce the risk from something
small but positive, to zero. This is very inexpensive insurance.
--
John Reiser, jreiser@BitWagon.com
next prev parent reply other threads:[~2007-12-17 16:30 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-14 19:34 /dev/urandom uses uninit bytes, leaks user data John Reiser
2007-12-14 20:13 ` Matt Mackall
2007-12-14 20:45 ` John Reiser
2007-12-14 23:23 ` Theodore Tso
2007-12-15 0:30 ` John Reiser
2007-12-15 4:32 ` Theodore Tso
2007-12-17 16:30 ` John Reiser [this message]
2007-12-17 17:36 ` Theodore Tso
2007-12-18 0:52 ` Andy Lutomirski
2007-12-18 3:05 ` Theodore Tso
2007-12-18 3:13 ` David Newall
2007-12-18 3:46 ` Theodore Tso
2007-12-18 4:09 ` David Newall
2007-12-18 4:23 ` Theodore Tso
2007-12-19 22:43 ` Bill Davidsen
2007-12-19 22:40 ` Bill Davidsen
2007-12-20 4:18 ` Andrew Lutomirski
2007-12-20 20:17 ` Phillip Susi
2007-12-21 16:10 ` Andrew Lutomirski
2007-12-22 1:14 ` Theodore Tso
2007-12-26 18:30 ` Phillip Susi
2007-12-20 20:36 ` Theodore Tso
2007-12-27 10:44 ` Pavel Machek
2007-12-18 5:12 ` David Schwartz
2007-12-17 20:59 ` David Schwartz
2007-12-15 7:13 ` Herbert Xu
2007-12-15 16:30 ` Matt Mackall
2007-12-17 17:28 ` Signed divides vs shifts (Re: [Security] /dev/urandom uses uninit bytes, leaks user data) Linus Torvalds
2007-12-17 17:48 ` Al Viro
2007-12-17 17:55 ` Eric Dumazet
2007-12-17 18:05 ` Ray Lee
2007-12-17 18:10 ` Eric Dumazet
2007-12-17 18:12 ` Ray Lee
2007-12-17 18:23 ` Al Viro
2007-12-17 18:28 ` [Security] Signed divides vs shifts (Re: " Linus Torvalds
2007-12-17 19:08 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2007-12-15 7:20 /dev/urandom uses uninit bytes, leaks user data Matti Linnanvuori
2007-12-15 7:54 ` Valdis.Kletnieks
2007-12-15 22:44 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4766A40D.4080804@BitWagon.com \
--to=jreiser@bitwagon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=security@kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).