| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Jan 2017 19:52:20 -0500 From: Ken Goldman <kgoldman@...ibm.com> To: linux-kernel@...r.kernel.org Cc: tpmdd-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org Subject: Re: [RFC] tpm2-space: add handling for global session exhaustion On 1/27/2017 5:04 PM, James Bottomley wrote: >> Beware the nasty corner case: >> >> - Application asks for a session and gets 02000000 >> >> - Time elapses and 02000000 gets forcibly flushed >> >> - Later, app comes back, asks for a second session and again gets >> 02000000. >> >> - App gets very confused. >> >> May it be better to close the connection completely, which the >> application can detect, than flush a session and give this corner >> case? > > if I look at the code I've written, I don't know what the session > number is, I just save sessionHandle in a variable for later use (lets > say to v1). If I got the same session number returned at a later time > and placed it in v2, all I'd notice is that an authorization using v1 > would fail. I'm not averse to killing the entire connection but, > assuming you have fallback, it might be kinder simply to ensure that > the operations with the reclaimed session fail (which is what the code > currently does). My worry is that this session failure cannot be detected by the application. An HMAC failure could cause the app to tell a user that they entered the wrong password. Misleading. On the TPM, it could trigger the dictionary attack lockout. For a PIN index, it could consume a failure count. Killing a policy session that has e.g., a policy signed term could cause the application to go back to some external entity for another authorization signature. Let's go up to the stack. What's the attack? If we're worried about many simultaneous applications (wouldn't that be wonderful), why not just let startauthsession fail? The application can just retry periodically. Just allocate them in triples so there's no deadlock. If we're worried about a DoS attack, killing a session just helps the attacker. The attacker can create a few connections and spin on startauthsession, locking everyone out anyway. ~~ Also, let's remember that this is a rare application. Sessions are only needed for remote access (requiring encryption, HMAC or salt), or policy sessions. ~~ Should the code also reserve a session for the kernel? Mark it not kill'able?
Powered by blists - more mailing lists