lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131002123953.GB27811@gmail.com>
Date:	Wed, 2 Oct 2013 14:39:53 +0200
From:	Ingo Molnar <mingo@...nel.org>
To:	Peter Zijlstra <peterz@...radead.org>
Cc:	Stephane Eranian <eranian@...gle.com>,
	LKML <linux-kernel@...r.kernel.org>,
	"mingo@...e.hu" <mingo@...e.hu>,
	"ak@...ux.intel.com" <ak@...ux.intel.com>,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	David Ahern <dsahern@...il.com>, Jiri Olsa <jolsa@...hat.com>,
	Hugh Dickins <hughd@...gle.com>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [RFC] perf: mmap2 not covering VM_CLONE regions


* Peter Zijlstra <peterz@...radead.org> wrote:

> On Wed, Oct 02, 2013 at 01:23:16PM +0200, Peter Zijlstra wrote:
>
> > So the only thing I can come up with is something like the below; 
> > supposedly the sha hash mixing a boot time random seed and the mm 
> > pointer is enough to avoid it being a data leak.
> 
> That is, right until it becomes feasible to run 2^64 SHA1 computations. 
> I've actually no idea how hard that is given todays GPU assisted 
> efforts.

Well, here are the possible cryptanalytic attacks I can think of:

 - differential, because here you don't just have access to the hash
   value but you can essentially feed highly correlated plaintext to the 
   hash at will, by starting/stopping threads, knowing their typical mm 
   pointer differences, etc.

   I.e. less than 2^64, potentially a lot less.

 - then there are timing attacks, and someone having access to a PMU
   context and who can trigger this SHA1 computation arbitrarily in task 
   local context can run very accurate and low noise timing attacks...

   I don't think the kernel's sha_transform() is hardened against timing 
   attacks, it's performance optimized so it has variable execution time
   highly dependent on plaintext input - which leaks information about the 
   plaintext.

But then again, how realistic is an attack? All that effort just to 
recover the raw kernel data pointer value of a struct mm? Dunno whether we 
should worry about it.

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ