lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <202301061118.836BF431F@keescook>
Date:   Fri, 6 Jan 2023 11:23:18 -0800
From:   Kees Cook <keescook@...omium.org>
To:     david.keisarschm@...l.huji.ac.il
Cc:     linux-kernel@...r.kernel.org,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Jason@...c4.com,
        aksecurity@...il.com, ilay.bahat1@...il.com
Subject: Re: [PATCH v3 3/3] Replace invocation of weak PRNG in
 arch/x86/mm/kaslr.c

On Sun, Dec 18, 2022 at 08:19:00PM +0200, david.keisarschm@...l.huji.ac.il wrote:
> From: David Keisar Schmidt <david.keisarschm@...l.huji.ac.il>
> 
> This third series add some changes to the commit messages,
> and also replaces get_random_u32 with get_random_u32_below,
> in a case a modulo operation is done on the result.
> 
> The memory randomization of the virtual address space of kernel memory regions
> (physical memory mapping, vmalloc & vmemmap) inside arch/x86/mm/kaslr.c
> is based on the function prandom_bytes_state which uses the prandom_u32 PRNG.
> 
> However, this PRNG turned out to be weak, as noted in commit c51f8f88d705
> To fix it, we have changed the invocation of prandom_bytes_state to get_random_bytes.
> 
> Unlike get_random_bytes which maintains its own state, prandom_bytes state needs to be seeded,
> thus, we have omitted the call to the seeding function, since it is not needed anymore.

I'd really rather not do this. prandom is being seeded from "true" RNG,
and it allows for the KASLR to be hand-seeded for a repeatable layout
for doing debugging and performance analysis (for the coming FG-KASLR).

AIUI, prandom is weak due to its shared state (which KASLR's use doesn't
have) and its predictability over time (but KASLR uses it only at
boot-time). And being able to recover the outputs would mean KASLR was
already broken, so there isn't anything that becomes MORE exposed.

If there is some other weakness, then sure, we can re-evaluate it, but
for now I'd rather leave this as-is.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ