From: Willy Tarreau <w@1wt.eu>
To: George Spelvin <lkml@sdf.org>
Cc: netdev@vger.kernel.org, aksecurity@gmail.com,
torvalds@linux-foundation.org, edumazet@google.com,
Jason@zx2c4.com, luto@kernel.org, keescook@chromium.org,
tglx@linutronix.de, peterz@infradead.org, tytso@mit.edu,
lkml.mplumb@gmail.com, stephen@networkplumber.org, fw@strlen.de
Subject: Re: [DRAFT PATCH] random32: make prandom_u32() output unpredictable
Date: Sun, 9 Aug 2020 21:16:34 +0200 [thread overview]
Message-ID: <20200809191634.GC8063@1wt.eu> (raw)
In-Reply-To: <20200809183017.GC25124@SDF.ORG>
On Sun, Aug 09, 2020 at 06:30:17PM +0000, George Spelvin wrote:
> I'm trying to understand your attack scenario. I'm assuming that an
> attacker can call prandom_u32() locally.
Well, first, I'm mostly focusing on remote attacks, because if the
attacker has a permanent local access, he can as well just bind()
a source port instead of having to guess the next one that will be
used. Second, I'm not aware of direct access from userland, so the
calls to prandom_u32() are expected to be done only via specific
code parts. The worst case (in my opinion) is when the attacker
runs on the same physical CPU and exploits some memory leakage to
find the internal state and uses the same TSC, but can only trigger
prandom_u32() via the network, hence with much less precision.
(...)
> Even something simple like buffering 8 TSC samples, and adding them
> at 32-bit offsets across the state every 8th call, would make a huge
> difference.
>
> Even if 7 of the timestamps are from attacker calls (4 bits
> uncertainty), the time of the target call is 8x less known
> (so it goes from 15 to 18 bits), and the total becomes
> 46 bits. *So* much better.
Maybe. I'm just suggesting to add *some* noise to keep things not
exploitable if the state is stolen once in a while (which would
already be a big problem, admittedly).
> > I can run some tests on this as
> > well. I'd really need to try on a cleaner setup, I have remote machines
> > at the office but I don't feel safe enough to remotely reboot them and
> > risk to lose them :-/
>
> Yeah, test kernels are nervous-making that way.
In fact I never booted a 5.8 kernel on the machine I'm thinking about
yet and can't remote-control its power supply, so I'm worried about
a dirty hang at boot by missing a config entry. The risk is low but
that's annoying when it happens.
> > I'll also test on arm/arm64 to make sure we don't introduce a significant
> > cost there.
>
> I don't expect a problem, but SipHash is optimized for 4-issue processors,
> and on narrower machines fewer instructions are "free".
OK.
Willy
next prev parent reply other threads:[~2020-08-09 19:17 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-08 15:26 Flaw in "random32: update the net random state on interrupt and activity" George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08 ` Willy Tarreau
2020-08-08 18:13 ` Linus Torvalds
2020-08-08 19:03 ` George Spelvin
2020-08-08 19:49 ` Andy Lutomirski
2020-08-08 21:29 ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19 ` Linus Torvalds
2020-08-08 18:53 ` Willy Tarreau
2020-08-08 20:47 ` George Spelvin
2020-08-08 20:52 ` Linus Torvalds
2020-08-08 22:27 ` George Spelvin
2020-08-09 2:07 ` Linus Torvalds
2020-08-11 16:01 ` Eric Dumazet
2020-08-08 19:18 ` Florian Westphal
2020-08-08 20:59 ` George Spelvin
2020-08-08 21:18 ` Willy Tarreau
2020-08-08 20:08 ` George Spelvin
2020-08-08 20:47 ` Linus Torvalds
2020-08-09 6:57 ` [DRAFT PATCH] random32: make prandom_u32() output unpredictable George Spelvin
2020-08-09 9:38 ` Willy Tarreau
2020-08-09 17:06 ` George Spelvin
2020-08-09 17:33 ` Willy Tarreau
2020-08-09 18:30 ` George Spelvin
2020-08-09 19:16 ` Willy Tarreau [this message]
2020-08-10 11:47 ` Willy Tarreau
2020-08-10 12:01 ` David Laight
2020-08-10 14:48 ` Willy Tarreau
2020-08-10 12:03 ` Florian Westphal
2020-08-10 14:53 ` Willy Tarreau
2020-08-10 16:31 ` Linus Torvalds
2020-08-10 16:58 ` Willy Tarreau
2020-08-10 17:45 ` Linus Torvalds
2020-08-10 18:01 ` Willy Tarreau
2020-08-10 21:04 ` Willy Tarreau
2020-08-11 5:26 ` George Spelvin
2020-08-11 5:37 ` Willy Tarreau
2020-08-11 3:47 ` George Spelvin
2020-08-11 3:58 ` Willy Tarreau
[not found] ` <fdbc7d7d-cba2-ef94-9bde-b3ccae0cfaac@gmail.com>
2020-08-09 21:10 ` Marc Plumb
2020-08-09 21:48 ` Linus Torvalds
2020-08-09 13:50 ` Randy Dunlap
[not found] ` <CANEQ_++a4YcwQQ2XhuguTono9=RxbSRVsMw08zLWBWJ_wxG2AQ@mail.gmail.com>
2020-08-09 16:08 ` George Spelvin
[not found] <CA+icZUVnsmf1kXPYFYufStQ_MxnLuxL+EWfDS2wQy1VbAEMwkA@mail.gmail.com>
2020-08-09 21:10 ` Sedat Dilek
[not found] ` <20200809235412.GD25124@SDF.ORG>
[not found] ` <20200810034948.GB8262@1wt.eu>
[not found] ` <20200811053455.GH25124@SDF.ORG>
[not found] ` <20200811054328.GD9456@1wt.eu>
[not found] ` <20200811062814.GI25124@SDF.ORG>
[not found] ` <20200811074538.GA9523@1wt.eu>
2020-08-11 10:51 ` Sedat Dilek
2020-08-11 11:01 ` Sedat Dilek
2020-08-12 3:21 ` Willy Tarreau
2020-08-13 7:53 ` Sedat Dilek
2020-08-13 8:06 ` Willy Tarreau
2020-08-13 8:13 ` Sedat Dilek
2020-08-13 8:27 ` Sedat Dilek
2020-08-13 14:00 ` Eric Dumazet
2020-08-13 16:02 ` Sedat Dilek
2020-08-14 15:32 ` Sedat Dilek
2020-08-14 16:05 ` Willy Tarreau
2020-08-14 16:17 ` Sedat Dilek
2020-08-16 15:01 ` Willy Tarreau
2020-08-16 16:48 ` Sedat Dilek
2020-08-20 3:05 ` Sedat Dilek
2020-08-20 4:33 ` Willy Tarreau
2020-08-20 4:42 ` Sedat Dilek
2020-08-20 6:08 ` Willy Tarreau
2020-08-20 6:58 ` Willy Tarreau
2020-08-20 8:05 ` Willy Tarreau
2020-08-20 12:08 ` Sedat Dilek
[not found] ` <CANEQ_+L+22Hkdqf38Zr0bfq16fcL1Ax2X9fToXV_niHKXCB8aA@mail.gmail.com>
2020-08-27 1:09 ` Willy Tarreau
2020-08-27 7:08 ` Sedat Dilek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200809191634.GC8063@1wt.eu \
--to=w@1wt.eu \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=keescook@chromium.org \
--cc=lkml.mplumb@gmail.com \
--cc=lkml@sdf.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stephen@networkplumber.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).