lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <476719E5.1010505@myrealbox.com>
Date:	Mon, 17 Dec 2007 19:52:53 -0500
From:	Andy Lutomirski <luto@...ealbox.com>
To:	Theodore Tso <tytso@....edu>, John Reiser <jreiser@...Wagon.com>,
	Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org,
	security@...nel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data

Theodore Tso wrote:
> On Mon, Dec 17, 2007 at 08:30:05AM -0800, John Reiser wrote:
>>>> [You have yet to show that...]
>>>> There is a path that goes from user data into the pool.
>> Note particularly that the path includes data from other users.
>> Under the current implementation, anyone who accesses /dev/urandom
>> is subject to having some bytes from their address space being captured
>> and mixed into the pool.
> 
> Again, you haven't *proven* this yet.

Has anyone *proven* that using uninitialized data this way is safe?  As 
a *user* of this stuff, I'm *very* hesitant to trust Linux's RNG when I 
hear things like this.  (Hint: most protocols are considered insecure 
until proven otherwise, not the other way around.)

Consider:  add_entropy_words is reversible [1], presumably in the sense 
that words could be removed, so, if there added words are independent of 
the state, there is no loss of entropy.  But it also appears reversible 
in the sense that if the pool has a known state and entropy words are 
added, most of which are known, the unknown ones can be found (if 
nothing else, if there are only a few bits of entropy there, you can try 
all possibilities).

Now imagine a security program.  It runs some forward secret protocol 
and it's very safe not to leak data that would break forward secrecy 
(mlockall, memset when done with stuff, etc).  It runs on a freshly 
booted machine (no DSA involved, so we're not automatically hosed), so 
an attacker knows the initial pool state.  Conveniently, some *secret* 
(say an ephemeral key, or, worse, a password) gets mixed in to the pool. 
  There are apparently at most three bytes of extra data mixed in, but 
suppose the attacker knows add the words that were supposed to get mixed 
in.  Now the program clears all its state to "ensure" forward secrecy, 
and *then* the machine gets hacked.  Now the attacker can learn (with at 
most 2^24 guesses worth of computation) 24 bits worth of a secret, which 
could quite easily reduce the work involved in breaking whatever forward 
secret protocol was involved from intractable to somewhat easy.  Or it 
could leak three bytes of password.  Or whatever.

Sorry for the somewhat inflammatory email, but this is absurd.

--Andy


[1] http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg238406.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ