lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 21 Oct 2008 13:22:18 -0700
From:	Ulrich Drepper <drepper@...hat.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
CC:	Kees Cook <kees.cook@...onical.com>, jakub@...hat.com,
	arjan@...radead.org, roland@...hat.com,
	linux-kernel@...r.kernel.org, libc-alpha@...rceware.org
Subject: Re: [PATCH v5] ELF: implement AT_RANDOM for glibc PRNG seeding

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Morton wrote:
> I read the above changeloglet and read the above-linked page and it's
> still 87% unclear to me what this feature does.  Something to do with
> stack randomisation, apparently.  I suppose I could go do further
> hunting, but from the quality-of-changelog POV I don't think I should
> need to do so.

Not stack randomization.  glibc needs right after startup a bit of
random data for internal protections (stack canary etc).  What is now in
upstream glibc is that we always unconditionally open /dev/urandom, read
some data, and use it.  For every process startup.  That's slow.

In addition Andi mentioned that this use of /dev/urandom might be
problematic.  I let him explain this.

The solution is to provide a limited amount of random data to the
starting process in the aux vector.  I suggested 16 bytes and this is
what the patch implements.  If we need only 16 bytes or less we use the
data directly.  If we need more we'll use the 16 bytes to see a PRNG.
This avoids the costly /dev/urandom use and it allows the kernel to use
the most adequate source of random data for this purpose.  It might not
be the same pool as that for /dev/urandom.


> It's unclear to me that the random-number issue got sorted out?

I think the last patch used the normal function to get 16 random bytes,
equivalent to the data used for stack randomization etc.

If Andi has concrete proposals for a revamp of the use of entropy in the
kernel this can be easily done as an add-on.  This patch doesn't make
the situation worse, it doesn't deplete entropy more than it happens now.

- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj+OfoACgkQ2ijCOnn/RHST+gCfTriVvBAdfYNXSPuklog3V47u
/2kAnipBxYx7IFZe/M2zc6MOnDZkalSb
=JpXN
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ