Re: [PATCH] ELF: implement AT_RANDOM for future glibc use

On Mon, Oct 06, 2008 at 08:00:21AM +0200, Andi Kleen wrote:
Kees Cook <kees.cook@xxxxxxxxxxxxx> writes:

While discussing[1] the need for glibc to have access to random bytes
during program load, it seems that an earlier attempt to implement
AT_RANDOM got stalled. This implements a configurable number of random
bytes available to every ELF program via a new auxv AT_RANDOM vector.

While the basic idea is good using get_random_bytes() is not.

That eats precious cryptography strength entropy from the entropy
pool, which on many systems is not adequately fed. In those cases you
really only want to use it for real keys, not for lower grade
applications. The applications glibc wants to use this for do not
really require crypto strength entropy, just relatively unpredictable
randomness.

We're already using get_random* for stack, heap, and brk. Also,
get_random* uses the nonblocking pool, so this is the same as if userspace
had tried to pull bytes out of /dev/urandom, which (as I understand it)
is the very thing we're trying to duplicate without the VFS overhead.

What you should instead do is to initialize some other cryptographic RNG
regularly and use the output of that.

Can you give me some examples of this? I thought the nonblocking
entropy pool was specifically for this purpose?

-Kees

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/