[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e70c9e01-5e48-a26a-d485-ca512c111cbc@gmail.com>
Date: Tue, 21 Jun 2016 13:18:33 -0400
From: "Austin S. Hemmelgarn" <ahferroin7@...il.com>
To: Tomas Mraz <tmraz@...hat.com>,
Stephan Mueller <smueller@...onox.de>
Cc: Theodore Ts'o <tytso@....edu>,
David Jaša <djasa@...hat.com>,
Andi Kleen <andi@...stfloor.org>, sandyinchina@...il.com,
Jason Cooper <cryptography@...edaemon.net>,
John Denker <jsd@...n.com>,
"H. Peter Anvin" <hpa@...ux.intel.com>,
Joe Perches <joe@...ches.com>, Pavel Machek <pavel@....cz>,
George Spelvin <linux@...izon.com>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 0/5] /dev/random - a new approach
On 2016-06-21 09:19, Tomas Mraz wrote:
> On Út, 2016-06-21 at 09:05 -0400, Austin S. Hemmelgarn wrote:
>> On 2016-06-20 14:32, Stephan Mueller wrote:
>>>
>>> [1] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf
>> Specific things I notice about this:
>> 1. QEMU systems are reporting higher values than almost anything
>> else
>> with the same ISA. This makes sense, but you don't appear to have
>> accounted for the fact that you can't trust almost any of the entropy
>> in
>> a VM unless you have absolute trust in the host system, because the
>> host
>> system can do whatever the hell it wants to you, including
>> manipulating
>> timings directly (with a little patience and some time spent working
>> on
>> it, you could probably get those number to show whatever you want
>> just
>> by manipulating scheduling parameters on the host OS for the VM
>> software).
>
> You have to trust the host for anything, not just for the entropy in
> timings. This is completely invalid argument unless you can present a
> method that one guest can manipulate timings in other guest in such a
> way that _removes_ the inherent entropy from the host.
When dealing with almost any type 2 hypervisor, it is fully possible for
a user other than the one running the hypervisor to manipulate
scheduling such that entropy is reduced. This does not imply that the
user who is doing this has any other control over the target VM, and
importantly, often does not require administrative access on the host,
only regular user access. Such an attack is very difficult to effect
outside of a clean-room environment, but is still possible. You can't
use this to force generation of arbitrary data, but you can definitely
starve a VM for entropy. By nature, something that relies on interrupt
timings will be more impacted by such an attack than something that does
not.
In most cases, such an attack will be a DoS attack on the host as well
(as that's the simplest way to do this). This is less of an issue with
proper practices on a type 1 hypervisor, but is still possible there too
(although pulling this off on at least Xen when you have proper VCPU
isolation is functionally impossible without administrative access to
the control domain).
Powered by blists - more mailing lists