| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Dec 2007 08:30:05 -0800 From: John Reiser <jreiser@...Wagon.com> To: Theodore Tso <tytso@....edu> CC: Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org, security@...nel.org Subject: Re: /dev/urandom uses uninit bytes, leaks user data Theodore Tso wrote: > On Fri, Dec 14, 2007 at 04:30:08PM -0800, John Reiser wrote: > >>There is a path that goes from user data into the pool. Note particularly that the path includes data from other users. Under the current implementation, anyone who accesses /dev/urandom is subject to having some bytes from their address space being captured and mixed into the pool. >> This path >>is subject to manipulation by an attacker, for both reading and >>writing. Are you going to guarantee that in five years nobody >>will discover a way to take advantage of it? > Yep, I'm confident about making such a guarantee. Very confident. A direct attack (determining the specific values or partial values of some captured bytes) is not the only way to steal secrets. An indirect attack, such as traffic analysis, also may be effective. Here is one idea. Use output from /dev/urandom to generate a random permutation group. Analyze the group: determine all its subgroups, etc. If the structure of those groups has different properties depending on the captured bytes, even after SHA1 and folding and twisting, then that may be enough to help steal secrets. Indirect attacks may be subject to "exponent doubling." The state modulo 2**(2n) may correspond to a system of 2**n congruences in 2**n variables. So a property modulo 2**n might be hoisted to a related property modulo 2**(2n). This might make 2**1024 seem to be not so big. Also, "getting lucky" is allowed, both via initial conditions and via other coincidences. Running on a newly-booted, newly-installed system might be especially advantageous. A completely formal Goedel-numbering proof often has a formal checker that is logarithmic in the length of the proof. If such a logarithmic property applies every once in a while to /dev/urandom, then that might be enough. The bottom line: At a cost of at most three unpredictable branches (whether to clear the bytes in the last word with indices congruent to 1, 2, or 3 modulo 4), then the code can reduce the risk from something small but positive, to zero. This is very inexpensive insurance. -- John Reiser, jreiser@...Wagon.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists