lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <6860856C-6A92-4569-9CD8-FF6C5C441F30@amacapital.net>
Date:   Mon, 29 Apr 2019 09:08:10 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     "Reshetova, Elena" <elena.reshetova@...el.com>
Cc:     Theodore Ts'o <tytso@....edu>, Eric Biggers <ebiggers3@...il.com>,
        "ebiggers@...gle.com" <ebiggers@...gle.com>,
        "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
        David Laight <David.Laight@...lab.com>,
        Ingo Molnar <mingo@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        "keescook@...omium.org" <keescook@...omium.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        "luto@...nel.org" <luto@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "jpoimboe@...hat.com" <jpoimboe@...hat.com>,
        "jannh@...gle.com" <jannh@...gle.com>,
        "Perla, Enrico" <enrico.perla@...el.com>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "bp@...en8.de" <bp@...en8.de>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall



> On Apr 29, 2019, at 12:46 AM, Reshetova, Elena <elena.reshetova@...el.com> wrote:
> 
> 
>>>> On Apr 26, 2019, at 7:01 AM, Theodore Ts'o <tytso@....edu> wrote:
>>> 
> 
>> It seems to me
>> that we should be using the “fast-erasure” construction for all get_random_bytes()
>> invocations. Specifically, we should have a per cpu buffer that stores some random
>> bytes and a count of how many random bytes there are. get_random_bytes() should
>> take bytes from that buffer and *immediately* zero those bytes in memory. When
>> the buffer is empty, it gets refilled with the full strength CRNG.
> 
> Ideally it would be great to call smth fast and secure on each syscall without a per-cpu
> buffer,

Why?  You only need a few bits, and any sensible crypto primitive is going to be much better at producing lots of bits than producing just a few bits.  Even ignoring that, avoiding the I-cache hit on every syscall has value.  And I still don’t see what’s wrong with a percpu buffer.

> so that's why I was asking on chacha8. As Eric pointed it should not be used for
> cryptographic purpose, but I think it is reasonably secure for our purpose, especially if
> the generator is sometimes reseeded with fresh entropy. 
> However, it very well might be that is too slow anyway. 
> 
> So, I think then we can do the per-cpu approach as you suggesting. 
> Have a per-cpu buffer big enough as you suggested (couple of pages) from where
> we regularly read 8 bits at the time and zero them as we go. 
> 
> I am just not sure on the right refill strategy in this case?
> Should we try to maintain this per-cpu buffer always with some random bytes by
> having a work queued that would refill it (or part of it, i.e. a page from a set of 4 pages) 
> regularly from CRNG source? 
> I guess how often we need to refill will depend so much on the syscall rate
> on that cpu, so it might be hard to find a reasonable period.
> In any case we need to prepare to do a refill straight from a syscall,
> if despite our best efforts to keep the buffer refilled we run out of bits.
> Is it ok to get a visible performance hit at this point? In worse case we will need to
> generate n pages worth of random numbers, which is going to take a
> while. 

I think a small hit every few syscalls is okay. The real time people will turn this off regardless.

> 
> I will try doing this PoC and measure implications (without the worker
> refill to start with). Let's see how bad (performance wise it looks).
> 
> Best Regards,
> Elena.
> 
> 
> 
> 
> 
>> The obvious objection is “oh no, a side channel could leak the buffer,” to which I say
>> so what?  A side channel could just as easily leak the entire CRNG state.
>> 
>> For Elena’s specific use case, we would probably want a
>> try_get_random_bytes_notrace() that *only* tries the percpu buffer, since this code
>> runs so early in the syscall path that we can’t run real C code.  Or it could be moved a
>> bit later, I suppose — the really early part is not really an interesting attack surface.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ