Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[Eric W. Biederman]

Ingo Molnar <mingo@xxxxxxx> writes:

> * Matt Mackall <mpm@xxxxxxxxxxx> wrote:
>
>> As to what's the appropriate sort of RNG for ASLR to use, finding 
>> a balance between too strong and too weak is tricky. [...]
>
> In exec-shield i mixed 'easily accessible and fast' semi-random 
> state to the get_random_int() result: xor-ed the cycle counter, the 
> pid and a kernel address to it. That strengthened the result in a 
> pretty practical way (without strengthening the theoretical 
> randomless - each of those items are considered guessable) and does 
> so without weakening the entropy of the random pool.

The trouble is, that thinking completely misses the problem, and I
expect that is why we have a problem.  Throwing a bunch of possibly
truly random values into the pot for luck is nice.  But you didn't
throw in a pseudo random number generator.  An unpredictable sequence
that is guaranteed to change from one invocation to the next.

In a very practical sense a pseudo random generator is completely
sufficient.  Throwing in a few truly random numbers guards against
attacks on the random number generator.

What we have now is a hash over an a value that changes every 5 minutes
and some well known values.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/