[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <476719E5.1010505@myrealbox.com>
Date: Mon, 17 Dec 2007 19:52:53 -0500
From: Andy Lutomirski <luto@...ealbox.com>
To: Theodore Tso <tytso@....edu>, John Reiser <jreiser@...Wagon.com>,
Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org,
security@...nel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data
Theodore Tso wrote:
> On Mon, Dec 17, 2007 at 08:30:05AM -0800, John Reiser wrote:
>>>> [You have yet to show that...]
>>>> There is a path that goes from user data into the pool.
>> Note particularly that the path includes data from other users.
>> Under the current implementation, anyone who accesses /dev/urandom
>> is subject to having some bytes from their address space being captured
>> and mixed into the pool.
>
> Again, you haven't *proven* this yet.
Has anyone *proven* that using uninitialized data this way is safe? As
a *user* of this stuff, I'm *very* hesitant to trust Linux's RNG when I
hear things like this. (Hint: most protocols are considered insecure
until proven otherwise, not the other way around.)
Consider: add_entropy_words is reversible [1], presumably in the sense
that words could be removed, so, if there added words are independent of
the state, there is no loss of entropy. But it also appears reversible
in the sense that if the pool has a known state and entropy words are
added, most of which are known, the unknown ones can be found (if
nothing else, if there are only a few bits of entropy there, you can try
all possibilities).
Now imagine a security program. It runs some forward secret protocol
and it's very safe not to leak data that would break forward secrecy
(mlockall, memset when done with stuff, etc). It runs on a freshly
booted machine (no DSA involved, so we're not automatically hosed), so
an attacker knows the initial pool state. Conveniently, some *secret*
(say an ephemeral key, or, worse, a password) gets mixed in to the pool.
There are apparently at most three bytes of extra data mixed in, but
suppose the attacker knows add the words that were supposed to get mixed
in. Now the program clears all its state to "ensure" forward secrecy,
and *then* the machine gets hacked. Now the attacker can learn (with at
most 2^24 guesses worth of computation) 24 bits worth of a secret, which
could quite easily reduce the work involved in breaking whatever forward
secret protocol was involved from intractable to somewhat easy. Or it
could leak three bytes of password. Or whatever.
Sorry for the somewhat inflammatory email, but this is absurd.
--Andy
[1] http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg238406.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists