Re: How does Linux do RTTM?

From: John Richard Moser
Date: Sat Aug 12 2006 - 10:51:45 EST

Hash: SHA1

Evgeniy Polyakov wrote:
> On Sat, Aug 12, 2006 at 09:31:42AM -0400, John Richard Moser (nigelenki@xxxxxxxxxxx) wrote:
>> I'm told now that it uses Jiffies for TCP timestamps. I've had thoughts
>> on this:
>> - I figured a random timestamp with random microsecond skew would be
>> nice but this might expose internals of the RNG; amusingly I'm trying
>> not to expose internals of the RNG by exposing system time.
>> - Someone recommended starting at zero. This would work, really,
>> there's no attacks based on guessing the TCP timestamp value. This is
>> nice since if I want to hax0rz then I might make a connection and see
>> how many jiffies there are to get a feel for the system's uptime; this
>> tells me how long since you upgraded your kernel, so I have an arsenal
>> of vulns I KNOW you haven't fixed ready ;) Starting at 0 doesn't give
>> that information.
>> Comments?
> Starting TCP timestamp from zero or any other arbitrary value for each
> new connection will not give you any security benefits. There is no

The TCP timestamp is the vessel; the target is the system uptime.

So, "preventing attackers from discovering the uptime of the remote
system will not give you any security benefits" is your statement.

> simple way aleph1 or e-eye will get a remote shell or steal your credit
> card number if there is a buffer overflow in kernel and they will know
> it's release.

Well, they could throw a netfilter buffer overflow at it; but there's
only ever been one I think. ;) Aside from that, it's a matter of doing
reconaissance BEFORE you get a local non-root or getting a local
non-root and THEN picking out your root elevation exploits, which is
only a few minutes difference.

(then again, storming the Bastille wouldn't have worked if they got to
the front door and sat on their asses for 2 minutes)

> So your proposals just are not needed for majority of people, but if you
> strongly feel it will help to find a cure for cancer, implement it and
> prove it's usefullness to netdev community.

It's not so much that as the cost of doing an arbitrary value is storing
the number of jiffies that make zero with each connection; this doesn't
seem significant. On the other hand, it removes one method for getting
a piece of information about the system that nobody said you could have;
some "hardened" configurations disable timestamps altogether for this
(amusingly they don't block ICMP Timestamp Reply outgoing). For the
sake of argument, I can at least say this would improve performance of
the RTTM for the paranoid.

In case you're wondering, myself I find this to be of minimal concern as
long as jiffies/uptime/etc have nothing to do with the PRNGs on the system.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond

We will enslave their women, eat their children and rape their
-- Bosc, Evil alien overlord from the fifth dimension
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at