Re: [PATCH v4 0/5] /dev/random - a new approach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2016-06-21 09:19, Tomas Mraz wrote:
On Út, 2016-06-21 at 09:05 -0400, Austin S. Hemmelgarn wrote:
On 2016-06-20 14:32, Stephan Mueller wrote:

[1] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf
Specific things I notice about this:
1. QEMU systems are reporting higher values than almost anything
else
with the same ISA.  This makes sense, but you don't appear to have
accounted for the fact that you can't trust almost any of the entropy
in
a VM unless you have absolute trust in the host system, because the
host
system can do whatever the hell it wants to you, including
manipulating
timings directly (with a little patience and some time spent working
on
it, you could probably get those number to show whatever you want
just
by manipulating scheduling parameters on the host OS for the VM
software).

You have to trust the host for anything, not just for the entropy in
timings. This is completely invalid argument unless you can present a
method that one guest can manipulate timings in other guest in such a
way that _removes_ the inherent entropy from the host.
When dealing with almost any type 2 hypervisor, it is fully possible for a user other than the one running the hypervisor to manipulate scheduling such that entropy is reduced. This does not imply that the user who is doing this has any other control over the target VM, and importantly, often does not require administrative access on the host, only regular user access. Such an attack is very difficult to effect outside of a clean-room environment, but is still possible. You can't use this to force generation of arbitrary data, but you can definitely starve a VM for entropy. By nature, something that relies on interrupt timings will be more impacted by such an attack than something that does not.

In most cases, such an attack will be a DoS attack on the host as well (as that's the simplest way to do this). This is less of an issue with proper practices on a type 1 hypervisor, but is still possible there too (although pulling this off on at least Xen when you have proper VCPU isolation is functionally impossible without administrative access to the control domain).
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux