Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes
From: Eric W. Biederman
Date: Tue May 05 2009 - 04:14:32 EST
Ingo Molnar <mingo@xxxxxxx> writes:
> * Matt Mackall <mpm@xxxxxxxxxxx> wrote:
>
>> As to what's the appropriate sort of RNG for ASLR to use, finding
>> a balance between too strong and too weak is tricky. [...]
>
> In exec-shield i mixed 'easily accessible and fast' semi-random
> state to the get_random_int() result: xor-ed the cycle counter, the
> pid and a kernel address to it. That strengthened the result in a
> pretty practical way (without strengthening the theoretical
> randomless - each of those items are considered guessable) and does
> so without weakening the entropy of the random pool.
The trouble is, that thinking completely misses the problem, and I
expect that is why we have a problem. Throwing a bunch of possibly
truly random values into the pot for luck is nice. But you didn't
throw in a pseudo random number generator. An unpredictable sequence
that is guaranteed to change from one invocation to the next.
In a very practical sense a pseudo random generator is completely
sufficient. Throwing in a few truly random numbers guards against
attacks on the random number generator.
What we have now is a hash over an a value that changes every 5 minutes
and some well known values.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/