From owner-freebsd-security@FreeBSD.ORG Sun Sep 23 00:38:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABBD6106566C; Sun, 23 Sep 2012 00:38:07 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id B0DCD8FC14; Sun, 23 Sep 2012 00:38:06 +0000 (UTC) Received: by wibhr14 with SMTP id hr14so2693271wib.13 for ; Sat, 22 Sep 2012 17:37:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ufdsKVKr955c+N8jr8llD68sQqaBiMZm1x21LYxwSrU=; b=o9pi9mgdZx42y4VKN0Ikq7m/luogvl2/jGHKZczEJCcCBU2RptPYW4snqy/ddqqko7 6OT1cIiJnTGRya1rT5IJ0l3MqfYy+Z5HkasoSNPRulkBNn5DFvXUUmlPeEdt49kDtnlp JOLGMBeNoibgOWBGTA7Y62K0mJPiToXOsXmNssbs2WaDvDDS7n9f4HeJ28LqMJjpU+eP rrjUzmeZUXpBDpbMH56vO1BL0EAK7UIYrlhkTDB2zMzYJwcPFiFDcge/dEcfkae1qOSa Z7Gb60IuuqEBjJJYLLA9UQJQnXKg1hIV2rcpxEXhnVOIdJb8G4IHTcf027DHUrU5UFYC ZRng== Received: by 10.180.94.164 with SMTP id dd4mr5587491wib.1.1348360679817; Sat, 22 Sep 2012 17:37:59 -0700 (PDT) Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86]) by mx.google.com with ESMTPS id cu1sm6401764wib.6.2012.09.22.17.37.58 (version=SSLv3 cipher=OTHER); Sat, 22 Sep 2012 17:37:59 -0700 (PDT) Message-ID: <505E59DC.7090505@gmail.com> Date: Sun, 23 Sep 2012 02:37:48 +0200 From: Mariusz Gromada User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> In-Reply-To: <20120922195325.GH1454@garage.freebsd.pl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 23 Sep 2012 01:56:03 +0000 Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2012 00:38:07 -0000 W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze: > Mariusz, can you confirm my findings? Pawel, Your conclusions can be easily confirmed by shape analysis of the EDF. Usually maximum quantile difference (called D-statistic) gives you a kind of overview, function shape gives you a strong feeling, p-value gives you a formal proof. D-statistic values (your data): 6bit: 0.33% 7bit: 0.29% 8bit: 0.27% 9bit: 0.21% 10bit: 6.34% 11bit: 19.07% 12bit: 54.80% What I would say: increasing the number of bits from 6 to 9 does not affect distribution "uniformity", reaching the tenth bit results in sudden increase in the difference measure - the more bits, the more difference is observed. Distribution shape analysis for the 10th bit shows non-linear function. Lack of "randomness" in the quntile difference curve - chart shows completely lack of noise (pure functional relation). These are very strong indicators that starting from 10th bit distribution was changed and is no longer uniform. To formally confirm above conclusion for i.e. 5% significance level, which means that confidence level is 95%, I need some extra data regarding sample sizes. Please pass to me number of collected observations in each 6-12 bit experiment. Regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Sun Sep 23 13:59:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 84D60106566B for ; Sun, 23 Sep 2012 13:59:58 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0DC388FC0A for ; Sun, 23 Sep 2012 13:59:57 +0000 (UTC) Received: by eaac10 with SMTP id c10so202297eaa.13 for ; Sun, 23 Sep 2012 06:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=GkLguITEjqc9L3vJFZgUUoaRFdAhVbWFJh9vnBbZY+Y=; b=KKxIKCtUqk4Pi07oFWqC+YMVYjJ4qNQaxnZyLOJH29f/stJFQ2BrYMglPEq/u3tjXp wijIfeG9m/4rGbRN/nwxRb2Gv9eAziFQsh8k39SWlVBcaK/eWqV5/qMNTkXrPQr7i380 tvpUmDYxDbWayO3o+OLfHud3mGG6PqiBbh62W5FiykaSykaMGYrEfM9Jx4UMnl8Xtfvk OOoywnCZFZjo9QXBm4iopX0s2mfGbrm09LRdm5vRzXyIgjqJ7mAmtOi362FN9xd1s+PL fDazBCasJDJlA6ii8kVH51SPHaG9XnViKm7ZDcq6LSGPUp055AvRFwEPkDvt89IQetVY uIEQ== Received: by 10.14.218.134 with SMTP id k6mr11862531eep.14.1348408791671; Sun, 23 Sep 2012 06:59:51 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id k49sm38631226een.4.2012.09.23.06.59.49 (version=SSLv3 cipher=OTHER); Sun, 23 Sep 2012 06:59:50 -0700 (PDT) Date: Sun, 23 Sep 2012 14:59:45 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20120923145945.13d148e3@gumby.homeunix.com> In-Reply-To: <86lig3arpb.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> <20120919184758.28589516@gumby.homeunix.com> <86sjadt677.fsf@ds4.des.no> <20120920230133.55b63dea@gumby.homeunix.com> <86lig3arpb.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2012 13:59:58 -0000 On Sat, 22 Sep 2012 01:20:32 +0200 Dag-Erling Sm=F8rgrav wrote: > RW writes: > > They key will therefore *accumulate* entropy across multiple > > reseeds. >=20 > Forgot to address this. By definition, there can never be more > entropy in Yarrow than the key size. So it *does* throw away entropy > in the sense that if it accumulated, say, 900 bits of entropy > pre-boot (to pick one of the numbers Pawel cited), 650 of them are > wasted. I got fed up up of adding "up to 256 bits" and thought I could take it as read. Since the generator can only hold 256 bits and is secure well under that it doesn't really matter very much. Yarrow can't really be said to waste entropy since replacing entropy in the generator in a controlled way is what give it its ability to recover from compromise and break state extension attacks. If we're going to be pedantic it's only the generator that's limited to 256 bits, yarrow as a whole can accumulate up to 3x256 bits because the pools are not cleared on reseeds. There is some slight advantage in this, for example it means that two consecutive keys can be completely independent even on a fast reseed with a low value of kern.random.yarrow.fastthresh. From owner-freebsd-security@FreeBSD.ORG Sun Sep 23 15:17:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD0D9106566B; Sun, 23 Sep 2012 15:17:01 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 9B94E8FC14; Sun, 23 Sep 2012 15:17:00 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 52645F3E; Sun, 23 Sep 2012 17:15:51 +0200 (CEST) Date: Sun, 23 Sep 2012 17:17:06 +0200 From: Pawel Jakub Dawidek To: Mariusz Gromada Message-ID: <20120923151706.GN1454@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hXth9cGL35Nvpk4x" Content-Disposition: inline In-Reply-To: <505E59DC.7090505@gmail.com> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2012 15:17:02 -0000 --hXth9cGL35Nvpk4x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote: > W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze: > > Mariusz, can you confirm my findings?=20 >=20 > Pawel, >=20 > Your conclusions can be easily confirmed by shape analysis of the EDF.=20 > Usually maximum quantile difference (called D-statistic) gives you a=20 > kind of overview, function shape gives you a strong feeling, p-value=20 > gives you a formal proof. > D-statistic values (your data): >=20 > 6bit: 0.33% > 7bit: 0.29% > 8bit: 0.27% > 9bit: 0.21% > 10bit: 6.34% > 11bit: 19.07% > 12bit: 54.80% >=20 > What I would say: increasing the number of bits from 6 to 9 does not=20 > affect distribution "uniformity", reaching the tenth bit results in=20 > sudden increase in the difference measure - the more bits, the more=20 > difference is observed. Distribution shape analysis for the 10th bit=20 > shows non-linear function. Lack of "randomness" in the quntile=20 > difference curve - chart shows completely lack of noise (pure=20 > functional relation). These are very strong indicators that starting=20 > from 10th bit distribution was changed and is no longer uniform. >=20 > To formally confirm above conclusion for i.e. 5% significance level,=20 > which means that confidence level is 95%, I need some extra data=20 > regarding sample sizes. Please pass to me number of collected=20 > observations in each 6-12 bit experiment. Total number of observations was 162833. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --hXth9cGL35Nvpk4x Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBfJ/IACgkQForvXbEpPzQJ+wCbBzLCJZkjhz6vQr0MuBiXXEqT HiIAnj9DLk6BvR+JiGmlUOviNaKY5Rhk =DrJs -----END PGP SIGNATURE----- --hXth9cGL35Nvpk4x-- From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 03:57:07 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id A96631065670 for ; Mon, 24 Sep 2012 03:57:07 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id AE7B214E169 for ; Mon, 24 Sep 2012 03:56:51 +0000 (UTC) Message-ID: <505FDA03.5020207@FreeBSD.org> Date: Sun, 23 Sep 2012 20:56:51 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org X-Enigmail-Version: 1.4.4 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: rc.d/postrandom X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 03:57:07 -0000 If you disagree with what this script is doing, please speak up. I'm being told that because I am the only one who has voiced an objection that there is no reason to back out this change. I think I made my feelings about it clear, I'm interested in what others have to say. Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 09:15:30 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65F52106566B; Mon, 24 Sep 2012 09:15:30 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 28B8C8FC19; Mon, 24 Sep 2012 09:15:29 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 53D4C6CC7; Mon, 24 Sep 2012 11:15:23 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 13936802F; Mon, 24 Sep 2012 11:15:23 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Doug Barton References: <505FDA03.5020207@FreeBSD.org> Date: Mon, 24 Sep 2012 11:15:21 +0200 In-Reply-To: <505FDA03.5020207@FreeBSD.org> (Doug Barton's message of "Sun, 23 Sep 2012 20:56:51 -0700") Message-ID: <86haqnsrx2.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org Subject: Re: rc.d/postrandom X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 09:15:30 -0000 Doug Barton writes: > If you disagree with what this script is doing, please speak up. Do you mean initrandom? I dislike it only slightly less now than I did before. I hope Pawel's patch works out so we can nuke it. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 17:47:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 15745106564A; Mon, 24 Sep 2012 17:47:10 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 550DA8FC15; Mon, 24 Sep 2012 17:47:08 +0000 (UTC) Received: by lbbgg13 with SMTP id gg13so8715426lbb.13 for ; Mon, 24 Sep 2012 10:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EkS4nGuelOE3VrO2wzy+zExvxrfJyyKB2BrKr4gpfUs=; b=iIxBKdeITUOLNrhzjZ+U1uV+wIgKBZtR3rFuSFy3YPd4ETM+28xtMovmFtkHSLW/Ic k9DN8tpiEKRGxrOp2+JsNOq66vMi7nK+c++FtuaPxb5/EzDQ6iBN4CkhyBp6FRXtcvpz SacqAo3V3t/3N1qef/b2/RBcG1+vWm6vXwPulUztzGF9tcgjj4t/d6uwlwsCXG1gcyt9 n8OoDNFDwTjcIkDIg0sHU2eqsBGN3M8BEFwezfXBE/og9+zbxbT3s0LnLQtZ7jGQQIu4 WqlzsVdzfXmnoHHPN7tkUkFvajKlVgQ2rXD0VwLMTM1AwvanTNMVlQ6qjm8KbgZ8vRyQ 0UHA== MIME-Version: 1.0 Received: by 10.152.124.180 with SMTP id mj20mr11266277lab.43.1348508827957; Mon, 24 Sep 2012 10:47:07 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.114.58.147 with HTTP; Mon, 24 Sep 2012 10:47:07 -0700 (PDT) In-Reply-To: <86haqnsrx2.fsf@ds4.des.no> References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no> Date: Mon, 24 Sep 2012 18:47:07 +0100 X-Google-Sender-Auth: BR4aD_du6GIgMzJfpenxVKk2CuI Message-ID: From: Ben Laurie To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: rc.d/postrandom X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:47:10 -0000 On Mon, Sep 24, 2012 at 10:15 AM, Dag-Erling Sm=F8rgrav wrote: > Doug Barton writes: >> If you disagree with what this script is doing, please speak up. > > Do you mean initrandom? I dislike it only slightly less now than I did > before. I hope Pawel's patch works out so we can nuke it.\ He means postrandom. Which deletes all saved entropy because of fear of replay attacks. IMO, this doesn't make much sense - if you don't have sufficient fresh entropy to mix into the pool, then deleting your saved entropy makes you more vulnerable, not less. And if you do, you're not vulnerable anyway. So, I'm with Dough on this one. From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 21:57:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C4A271065670; Mon, 24 Sep 2012 21:57:06 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id B83AC8FC0C; Mon, 24 Sep 2012 21:57:05 +0000 (UTC) Received: by weyx43 with SMTP id x43so875776wey.13 for ; Mon, 24 Sep 2012 14:57:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Rdnhgn+H0k5eVHEA/GEJ3cndRipYEgh6+Oqr3ECqct8=; b=a8iPoWp3zriCWRD0goAoPWEL6NewmVpv2vsu+FimeZo6ji4X4/dRXlCCkY9w8bnMby 30BIQgLSPFQ/Fr7fhXDt2LA4c9XAhc6yNRX+a3S0aamXSnIplA0EAxUqI+4reopJQ29s rKP/AfWzFVyFI/FMq+c7M7K09nwZJthhpxLSIRxV9PoU9G7Bc2oa50b72uNDvvdBmG1T iYSrLHUo8T7Ud9tYkzkWxRykQDUcIakDaiqDI91g8+VozolArygFufnijHWfI8Aah7Qc SsHbIe0ct6xReoDiqeT7z/tyk649JjMBQ8TRiE4UTRHWHZa3gTWeuU5wXSokeOzBT2u9 awDw== Received: by 10.180.83.66 with SMTP id o2mr17006228wiy.14.1348523824685; Mon, 24 Sep 2012 14:57:04 -0700 (PDT) Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86]) by mx.google.com with ESMTPS id k20sm16811345wiv.11.2012.09.24.14.57.02 (version=SSLv3 cipher=OTHER); Mon, 24 Sep 2012 14:57:03 -0700 (PDT) Message-ID: <5060D723.6020305@gmail.com> Date: Mon, 24 Sep 2012 23:56:51 +0200 From: Mariusz Gromada User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> In-Reply-To: <20120923151706.GN1454@garage.freebsd.pl> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 24 Sep 2012 22:03:16 +0000 Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 21:57:06 -0000 W dniu 2012-09-23 17:17, Pawel Jakub Dawidek pisze: > On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote: >> W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze: >>> Mariusz, can you confirm my findings? >> >> Pawel, >> >> Your conclusions can be easily confirmed by shape analysis of the EDF. >> Usually maximum quantile difference (called D-statistic) gives you a >> kind of overview, function shape gives you a strong feeling, p-value >> gives you a formal proof. >> D-statistic values (your data): >> >> 6bit: 0.33% >> 7bit: 0.29% >> 8bit: 0.27% >> 9bit: 0.21% >> 10bit: 6.34% >> 11bit: 19.07% >> 12bit: 54.80% >> >> What I would say: increasing the number of bits from 6 to 9 does not >> affect distribution "uniformity", reaching the tenth bit results in >> sudden increase in the difference measure - the more bits, the more >> difference is observed. Distribution shape analysis for the 10th bit >> shows non-linear function. Lack of "randomness" in the quntile >> difference curve - chart shows completely lack of noise (pure >> functional relation). These are very strong indicators that starting >> from 10th bit distribution was changed and is no longer uniform. >> >> To formally confirm above conclusion for i.e. 5% significance level, >> which means that confidence level is 95%, I need some extra data >> regarding sample sizes. Please pass to me number of collected >> observations in each 6-12 bit experiment. > > Total number of observations was 162833. > Ok, finally I have some formal results. To be completely honest I need to point out that, in fact, we have a discrete data (for example integers 0, 1, ..., 63, but not continues numbers spread across 0 and 63). That is way I am going to use two sample Kolmogorov-Smirnov test. Methodology is simple: - Pawel’s data will be called empirical one - Theoretical data will be generated as a sequence of unique integer numbers from 0 to 2**n -1, where n is the number of bits. Assumption - each number appears in theoretical data only once representing ideal uniform distribution. Calculations will be done in the R-cran package Loading empirical data form files: > e6 = read.table("E:\\pawel\\dhr2_6bit_sorted.txt") > e7 = read.table("E:\\pawel\\dhr2_7bit_sorted.txt") > e8 = read.table("E:\\pawel\\dhr2_8bit_sorted.txt") > e9 = read.table("E:\\pawel\\dhr2_9bit_sorted.txt") > e10 = read.table("E:\\pawel\\dhr2_10bit_sorted.txt") > e11 = read.table("E:\\pawel\\dhr2_11bit_sorted.txt") > e12 = read.table("E:\\pawel\\dhr2_12bit_sorted.txt") Generating ideal theoretical data: > t6 = c(0:(2**6-1)) > t7 = c(0:(2**7-1)) > t8 = c(0:(2**8-1)) > t9 = c(0:(2**9-1)) > t10 = c(0:(2**10-1)) > t11 = c(0:(2**11-1)) > t12 = c(0:(2**12-1)) Performing KS tests: > ks.test(e6, t6) D = 0.0032, p-value = 1 > ks.test(e7, t7) D = 0.0029, p-value = 1 > ks.test(e8, t8) D = 0.0027, p-value = 1 > ks.test(e9, t9) D = 0.0022, p-value = 1 > ks.test(e10, t10) D = 0.0634, p-value = 0.0005562 > ks.test(e11, t11) D = 0.1907, p-value < 2.2e-16 > ks.test(e12, t12) D = 0.5479, p-value < 2.2e-16 As you can see D-statistics are almost the same as calculated by Pawel (considering roundings). P-values are very interesting due to very high number of observations generated by Pawel. Between 6 bits and 9 bits estimated p-values are equal to 1, so it means that it is impossible (at any significance level) to reject null hypothesis stating that compared distributions are equal. Final conclusion: it has to be random, and for sure it is random! Additionally starting form 10 bits we can observe dramatic decrease of p-value (from 100% to c.a. 0,06% and much less for the 11-12 bits). So low p-value means that it is impossible not to reject null hypothesis stating that compared distributions are equal. Final conclusion: it cannot be random, and for sure it is not random. I did the same comparison for the previous real device attach data (2081 obs.). R code and the results are below: > e16 = read.table("E:\\pawel\\device_attach_16bit.log") > t16 = c(0:(2**16-1)) > ks.test(e16, t16) D = 0.0178, p-value = 0.5422 Again, D-statistic an p-value are almost the same as previously calculated "manually". P-value is very high (it is not as high as in the 6-12 bits tests, but consider much lower number of observations: 2081 vs 162833), giving almost sureness that you have captured real 16-bits entropy! Regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Mon Sep 24 22:10:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A13E81065670; Mon, 24 Sep 2012 22:10:28 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9D9378FC0C; Mon, 24 Sep 2012 22:10:27 +0000 (UTC) Received: by weyx43 with SMTP id x43so882977wey.13 for ; Mon, 24 Sep 2012 15:10:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=+8RDxzoKNN5k+EgMHMcNSDu2sDmKqpg/hEwXPmlqQ5o=; b=yfnTaukyIqhVmg2vo2v9XdhPnLlFBoIchew/8sLWvble4U+Ka9GxVYUley34gQQHGU QkfsraXXs71x6Ep+taiN0SUA22UJ19E056YAfKCa0FZtEVLiKOM3xDIGc7WWcQS274fS KAdU7pXytUvG1xPD7WE3XiKChLSbZxVkm8vaKyGqsMde9u0xlHw9/B+p/biwl5m1aDb+ JPASbETK0X0pI5Fv5HLjoqV9xkMP8+vK4N2hq4EyxwkPv9hKnBXnqK8QfRGJVO6bsOIo iSsd5w5WE7vMGKPGvPj3bLsLmDhjOTL8D4lEn9TqcezOLGZwBO4+DJ0wXrvpe0BxkGy7 0OYg== Received: by 10.180.100.37 with SMTP id ev5mr17090715wib.5.1348524626443; Mon, 24 Sep 2012 15:10:26 -0700 (PDT) Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86]) by mx.google.com with ESMTPS id l6sm16834218wiz.4.2012.09.24.15.10.24 (version=SSLv3 cipher=OTHER); Mon, 24 Sep 2012 15:10:25 -0700 (PDT) Message-ID: <5060DA45.30808@gmail.com> Date: Tue, 25 Sep 2012 00:10:13 +0200 From: Mariusz Gromada User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> In-Reply-To: <5060D723.6020305@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 24 Sep 2012 22:35:37 +0000 Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 22:10:28 -0000 W dniu 2012-09-24 23:56, Mariusz Gromada pisze: > Ok, finally I have some formal results. To be completely honest I need > to point out that, in fact, we have a discrete data (for example > integers 0, 1, ..., 63, but not continues numbers spread across 0 and > 63). That is way I am going to use two sample Kolmogorov-Smirnov test. Another clarification is needed. KS test in general (and in theory) should be used for continuous distributions. But in our case we can easily say that we observe our distribution in integers only (rounding), and the whole rest is easily estimated. Regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 05:32:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69461106564A; Tue, 25 Sep 2012 05:32:25 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 24EBF8FC08; Tue, 25 Sep 2012 05:32:24 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id CA0A63FF; Tue, 25 Sep 2012 07:31:24 +0200 (CEST) Date: Tue, 25 Sep 2012 07:32:47 +0200 From: Pawel Jakub Dawidek To: Mariusz Gromada Message-ID: <20120925053246.GI1413@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k9xkV0rc9XGsukaG" Content-Disposition: inline In-Reply-To: <5060DA45.30808@gmail.com> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 05:32:25 -0000 --k9xkV0rc9XGsukaG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 25, 2012 at 12:10:13AM +0200, Mariusz Gromada wrote: > W dniu 2012-09-24 23:56, Mariusz Gromada pisze: >=20 > > Ok, finally I have some formal results. To be completely honest I need > > to point out that, in fact, we have a discrete data (for example > > integers 0, 1, ..., 63, but not continues numbers spread across 0 and > > 63). That is way I am going to use two sample Kolmogorov-Smirnov test. >=20 > Another clarification is needed. KS test in general (and in theory)=20 > should be used for continuous distributions. But in our case we can=20 > easily say that we observe our distribution in integers only (rounding),= =20 > and the whole rest is easily estimated. Thanks a lot! To the list: phk@ asked me privately to check if there is no correclation between consecutive device_attach() calls during single boot. For example each device_attach() separately can yield great entropy in every tests, but all those calls combined might be somehow related, ie. during one boot all calls take a bit longer and in another boot all calls take a bit less, which could decrease total entropy we should estimate out of it. I created dummy driver which was registering three dummy drivers, so it was provoking three device_attach() calls on every kldload. Mariusz verified the observations and there was no correlation between the times. I believe everyone is bored at this point, so I'd like to propose a way forward: I'll perform one more test with CPU clock speed reduced as much as it can be and see if rejecting 7 top bits is still fine. If it is, I'd like to commit my patch. I was wondering if I should hide it under #ifdef __amd64__, but the only risk in having it on all platforms is eventually being overestimating available entropy, which is bad, but I think better than not providing any entropy this method. On the other hand having it on one or two platforms only would maybe motivate people to verify it on other platforms. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --k9xkV0rc9XGsukaG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBhQf0ACgkQForvXbEpPzR2OQCdGcwWJYiJluJQud/xlPF7ORPB 0QYAnR0UlSg1qzTnPCVsXTXdu8Eaqw1P =Ymdr -----END PGP SIGNATURE----- --k9xkV0rc9XGsukaG-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 08:21:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC9AF106566B; Tue, 25 Sep 2012 08:21:09 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id ABD158FC14; Tue, 25 Sep 2012 08:21:09 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 397E060AF; Tue, 25 Sep 2012 10:21:08 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id F08A98145; Tue, 25 Sep 2012 10:21:07 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no> Date: Tue, 25 Sep 2012 10:21:07 +0200 In-Reply-To: (Ben Laurie's message of "Mon, 24 Sep 2012 18:47:07 +0100") Message-ID: <86zk4eqzrg.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: rc.d/postrandom X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 08:21:10 -0000 Ben Laurie writes: > He means postrandom. Which deletes all saved entropy because of fear > of replay attacks. > > IMO, this doesn't make much sense - if you don't have sufficient fresh > entropy to mix into the pool, then deleting your saved entropy makes > you more vulnerable, not less. And if you do, you're not vulnerable > anyway. If the stored entropy is known to the attacker, you are mixing known data into the pool, which Yarrow is designed to withstand. You are no worse off than before. If both the current state of Yarrow and the stored entropy are known to the attacker, you are no worse off than before - you are equally screwed whether you use the stored entropy or not. If the current state of Yarrow is known to the attacker but the stored entropy isn't, you are better off with it than without it. Therefore, the stored entropy should only be deleted when we have something to replace it with. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 09:03:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 08049106564A; Tue, 25 Sep 2012 09:03:24 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 80E158FC0C; Tue, 25 Sep 2012 09:03:23 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so9408980vcb.13 for ; Tue, 25 Sep 2012 02:03:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=bkM9MypI/0DsK/9GPKPQRSYC1pOVUHijJ8Ln46xyOh4=; b=U7oSbKf8TxSlS/E7n4XVO4Cn8A3Nr4DlZ9IroSRdjOGNuStSwx+4bZVEKyklusZjBH 0jUK5bZXcWX/IE4qbWOXo3py1eaHUDpSc7QG14NyTGDMKA3k3HahTXjBLOkIU2VaYs+0 5T/d1wtW6UtK2tn7A4LTlWY1+e84IXt6lpw4ZFYIUCTCPE4g3FK4+UA98GFuc0R7FK0y AKCUqLJpgiaNO3QwLZfpBeGoXrAsH67HJ1cKv7/6n77TLJUZjNXVUJTDZwOYYQTe8Wpl DWurULlhmxwVQVrDnThBc3uE1OHgo5p41bPwtODwJZEwLYTrHTTY4FXEiKJR2iFclTWI ScXg== MIME-Version: 1.0 Received: by 10.220.157.65 with SMTP id a1mr8815203vcx.39.1348563802277; Tue, 25 Sep 2012 02:03:22 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Tue, 25 Sep 2012 02:03:22 -0700 (PDT) In-Reply-To: <5060D723.6020305@gmail.com> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> Date: Tue, 25 Sep 2012 10:03:22 +0100 X-Google-Sender-Auth: YV7f9e883Et0KHJku8XQ6UMbMPs Message-ID: From: Ben Laurie To: Mariusz Gromada Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, RW , Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 09:03:24 -0000 On Mon, Sep 24, 2012 at 10:56 PM, Mariusz Gromada wrote: > W dniu 2012-09-23 17:17, Pawel Jakub Dawidek pisze: > >> On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote: >>> >>> W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze: >>>> >>>> Mariusz, can you confirm my findings? >>> >>> >>> Pawel, >>> >>> Your conclusions can be easily confirmed by shape analysis of the EDF. >>> Usually maximum quantile difference (called D-statistic) gives you a >>> kind of overview, function shape gives you a strong feeling, p-value >>> gives you a formal proof. >>> D-statistic values (your data): >>> >>> 6bit: 0.33% >>> 7bit: 0.29% >>> 8bit: 0.27% >>> 9bit: 0.21% >>> 10bit: 6.34% >>> 11bit: 19.07% >>> 12bit: 54.80% >>> >>> What I would say: increasing the number of bits from 6 to 9 does not >>> affect distribution "uniformity", reaching the tenth bit results in >>> sudden increase in the difference measure - the more bits, the more >>> difference is observed. Distribution shape analysis for the 10th bit >>> shows non-linear function. Lack of "randomness" in the quntile >>> difference curve - chart shows completely lack of noise (pure >>> functional relation). These are very strong indicators that starting >>> from 10th bit distribution was changed and is no longer uniform. >>> >>> To formally confirm above conclusion for i.e. 5% significance level, >>> which means that confidence level is 95%, I need some extra data >>> regarding sample sizes. Please pass to me number of collected >>> observations in each 6-12 bit experiment. >> >> >> Total number of observations was 162833. >> > > Ok, finally I have some formal results. To be completely honest I need to > point out that, in fact, we have a discrete data (for example integers 0, 1, > ..., 63, but not continues numbers spread across 0 and 63). That is way I > am going to use two sample Kolmogorov-Smirnov test. Methodology is simple: ... > As you can see D-statistics are almost the same as calculated by Pawel > (considering roundings). P-values are very interesting due to very high > number of observations generated by Pawel. Between 6 bits and 9 bits > estimated p-values are equal to 1, so it means that it is impossible (at any > significance level) to reject null hypothesis stating that compared > distributions are equal. Final conclusion: it has to be random, and for sure > it is random! You cannot conclude that - no test can tell you it, but this test rather obviously does not, since what it tests is the equality of probability distributions, so what you can now say is that the distribution is square. A completely predictable sequence, say 0..63, would satisfy that. Empirically, it seems to me that these numbers are actually unlikely to be correlated with each other, but that has not been tested. Also untested is correlation between the numbers from different devices on the same run - if they were strongly correlated, for example, that would be bad. Not that I dislike Pawel's approach, it seems promising, I'm just pointing out the weakness of the analysis. From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 09:05:03 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DFED0106564A; Tue, 25 Sep 2012 09:05:02 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5CFC58FC1D; Tue, 25 Sep 2012 09:05:02 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so9410799vcb.13 for ; Tue, 25 Sep 2012 02:05:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zC0SBswMgqZgNG4yvIOOGkr0YjZR0btw8yB0wz/ftD8=; b=DmCQ5DdPxPbYk2I5Tg58Zlpq1ZUrdWtQehtCjwfUQY8kS7459pDxb1qt5MciWBsGwX HNszQW5qvSCDO8Du7qTR2K4WtXqJtCun1z3khJfC/+E4ptOdObpf1eS8RYQg9b9n4ktx BB6GUFp+gZ73VozsIfaIYoj0GR0ZKkYlXDCcIAauz+Q8e91UInb775TiHEqmw2DaBUNy SGRWEMdwsOYhNatLt2dwlALxXzu6SSvgqvCzqSNpPhlcKdZWlfAXyIepaPeiSpMyaO/a BYB06u+7AiqgVPG48WErVR23PGFb8YIdHg+nMoTqkMRlq6RrBFs0Hp5LAvQ/4gn23aDU mvvw== MIME-Version: 1.0 Received: by 10.52.70.48 with SMTP id j16mr5461364vdu.1.1348563901798; Tue, 25 Sep 2012 02:05:01 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Tue, 25 Sep 2012 02:05:01 -0700 (PDT) In-Reply-To: <20120925053246.GI1413@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com> <20120925053246.GI1413@garage.freebsd.pl> Date: Tue, 25 Sep 2012 10:05:01 +0100 X-Google-Sender-Auth: CV3goILN_w3_lpidNRvq3ynes8I Message-ID: From: Ben Laurie To: Pawel Jakub Dawidek Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, RW , Jonathan Anderson , Mariusz Gromada , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 09:05:03 -0000 On Tue, Sep 25, 2012 at 6:32 AM, Pawel Jakub Dawidek wrote: > On Tue, Sep 25, 2012 at 12:10:13AM +0200, Mariusz Gromada wrote: >> W dniu 2012-09-24 23:56, Mariusz Gromada pisze: >> >> > Ok, finally I have some formal results. To be completely honest I need >> > to point out that, in fact, we have a discrete data (for example >> > integers 0, 1, ..., 63, but not continues numbers spread across 0 and >> > 63). That is way I am going to use two sample Kolmogorov-Smirnov test. >> >> Another clarification is needed. KS test in general (and in theory) >> should be used for continuous distributions. But in our case we can >> easily say that we observe our distribution in integers only (rounding), >> and the whole rest is easily estimated. > > Thanks a lot! > > To the list: > > phk@ asked me privately to check if there is no correclation between > consecutive device_attach() calls during single boot. > > For example each device_attach() separately can yield great entropy in > every tests, but all those calls combined might be somehow related, ie. > during one boot all calls take a bit longer and in another boot all > calls take a bit less, which could decrease total entropy we should > estimate out of it. > > I created dummy driver which was registering three dummy drivers, so it > was provoking three device_attach() calls on every kldload. Mariusz > verified the observations and there was no correlation between the > times. Sorry to those that are bored, but ... what was the methodology? > I believe everyone is bored at this point, so I'd like to propose a way > forward: > > I'll perform one more test with CPU clock speed reduced as much as it > can be and see if rejecting 7 top bits is still fine. If it is, I'd like > to commit my patch. I was wondering if I should hide it under > #ifdef __amd64__, but the only risk in having it on all platforms is > eventually being overestimating available entropy, which is bad, but I > think better than not providing any entropy this method. On the other > hand having it on one or two platforms only would maybe motivate people > to verify it on other platforms. > > -- > Pawel Jakub Dawidek http://www.wheelsystems.com > FreeBSD committer http://www.FreeBSD.org > Am I Evil? Yes, I Am! http://tupytaj.pl From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 09:28:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13DF8106564A; Tue, 25 Sep 2012 09:28:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BFE298FC1E; Tue, 25 Sep 2012 09:28:15 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7F70660D1; Tue, 25 Sep 2012 11:28:14 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 4572D8153; Tue, 25 Sep 2012 11:28:14 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> Date: Tue, 25 Sep 2012 11:28:13 +0200 In-Reply-To: (Ben Laurie's message of "Tue, 25 Sep 2012 10:03:22 +0100") Message-ID: <86r4pqqwnm.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 09:28:16 -0000 Ben Laurie writes: > Not that I dislike Pawel's approach, it seems promising, I'm just > pointing out the weakness of the analysis. It is also based on fake data. If you give me a couple of days, I'll try to come up with a patch that collects and stores attach times during boot so we can gather and analyse real data. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 10:22:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65781106566B; Tue, 25 Sep 2012 10:22:18 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 20D138FC14; Tue, 25 Sep 2012 10:22:17 +0000 (UTC) Received: from localhost (58.wheelsystems.com [83.12.187.58]) by mail.dawidek.net (Postfix) with ESMTPSA id 727094A1; Tue, 25 Sep 2012 12:21:17 +0200 (CEST) Date: Tue, 25 Sep 2012 12:22:41 +0200 From: Pawel Jakub Dawidek To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20120925102240.GC1571@garage.freebsd.pl> References: <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wxDdMuZNg1r63Hyj" Content-Disposition: inline In-Reply-To: <86r4pqqwnm.fsf@ds4.des.no> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 10:22:18 -0000 --wxDdMuZNg1r63Hyj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 25, 2012 at 11:28:13AM +0200, Dag-Erling Sm=F8rgrav wrote: > Ben Laurie writes: > > Not that I dislike Pawel's approach, it seems promising, I'm just > > pointing out the weakness of the analysis. >=20 > It is also based on fake data. >=20 > If you give me a couple of days, I'll try to come up with a patch that > collects and stores attach times during boot so we can gather and > analyse real data. Note that this fake data is the hardest to gather entropy from, as it doesn't interact with any external hardware. I'm all for testing it on real hardware and I expect to be able to gather even more entropy from it (so discarding less than top 7 bits). The problem with making observations during boot takes much, much longer, so it will limit the number os samples significantly, and as you know the more samples the better. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --wxDdMuZNg1r63Hyj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBhhfAACgkQForvXbEpPzTp5QCg0TCtOdPOdULwouNp3PWSM3E6 sNEAn3AaLO5ldhGhz4DFe1Gay7WB7TUE =5q0B -----END PGP SIGNATURE----- --wxDdMuZNg1r63Hyj-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 10:58:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB7EE1065672; Tue, 25 Sep 2012 10:58:40 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 81CDB8FC0A; Tue, 25 Sep 2012 10:58:40 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A886C60FA; Tue, 25 Sep 2012 12:58:38 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 463678161; Tue, 25 Sep 2012 12:58:37 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl> Date: Tue, 25 Sep 2012 12:58:37 +0200 In-Reply-To: <20120925102240.GC1571@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Tue, 25 Sep 2012 12:22:41 +0200") Message-ID: <86mx0eqsgy.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 10:58:40 -0000 Pawel Jakub Dawidek writes: > Note that this fake data is the hardest to gather entropy from, as it > doesn't interact with any external hardware. I'm all for testing it on > real hardware and I expect to be able to gather even more entropy from > it (so discarding less than top 7 bits). The problem with making > observations during boot takes much, much longer, so it will limit the > number os samples significantly, and as you know the more samples the > better. I have a handful of SFF machines which support PXE. I can easily set up an NFS root where /etc/rc just remounts / rw, dumps the data and reboots. With a sub-minute cycle time, I can get a couple of hundred thousand samples per machine over the weekend. (I don't even need PXE - they'll probably boot faster from USB sticks or disks) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 09:29:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A144106568F; Tue, 25 Sep 2012 09:29:40 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 04CFC8FC08; Tue, 25 Sep 2012 09:29:39 +0000 (UTC) Received: by qady23 with SMTP id y23so3983033qad.13 for ; Tue, 25 Sep 2012 02:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YV39joB62qzF9sMnNjydJ0RkoztMAhPf2atOS2eq8yI=; b=0Ne9LjH+SFir6P7J945bOWxL6jD/HSgu5SbBUDjAaWW54BFonv/oQYHERrmRiPtvxX Ig+L8qDGQufnyP2mJU4UwxhfUF5AGYXwrQIITbExYlqX/GOPPTQlfyyQjRyz/R7D4mxi rfo8PC9BrnzyJujQguYfn5+5dC0sLIK1lTvCP1PS0w2gTHHUh1HEvsQIJ0woDT6bm1zS UPaYoLCWIzUH5uLI7BdmuX34sufH1GXxHco8z98nH2lOgL6+Y9hNt5b5ymb8/Kl8nLyE 69WwTCGrnOEmT/EeYcJAvx6FEfS/0DiTpW6gHRG2/5UG/NS34WRjAHfeAKj6ARFtYqMR QCaA== MIME-Version: 1.0 Received: by 10.224.70.138 with SMTP id d10mr38558901qaj.12.1348565379415; Tue, 25 Sep 2012 02:29:39 -0700 (PDT) Received: by 10.49.81.242 with HTTP; Tue, 25 Sep 2012 02:29:39 -0700 (PDT) In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> Date: Tue, 25 Sep 2012 11:29:39 +0200 Message-ID: From: Mariusz Gromada To: Ben Laurie X-Mailman-Approved-At: Tue, 25 Sep 2012 11:55:02 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, RW , Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 09:29:40 -0000 > > > You cannot conclude that - no test can tell you it, but this test > rather obviously does not, since what it tests is the equality of > probability distributions, so what you can now say is that the > distribution is square. A completely predictable sequence, say 0..63, > would satisfy that. > > Yes, I agree. That is way I proposed to Pawel analysis from the area of stochastic processes. > Empirically, it seems to me that these numbers are actually unlikely > to be correlated with each other, but that has not been tested. > Another yes, you are right. We need much more data to check if we have a stochastic process consisted of independent random variables. > > Also untested is correlation between the numbers from different > devices on the same run - if they were strongly correlated, for > example, that would be bad. > I have proposed that also, but it requires checking different architectures. I even offered my raspberry pi :-), but unfortunately FreeBSD does not want to work on it :-( > > Not that I dislike Pawel's approach, it seems promising, I'm just > pointing out the weakness of the analysis. > Again, thanks for pointing the weakness of the analysis, you are completely right about everything. I have been thinking about all of these issues, but unfortunately forgot to write it down as a constraints of the analysis. Regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 09:36:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15DDD106564A; Tue, 25 Sep 2012 09:36:33 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 764398FC14; Tue, 25 Sep 2012 09:36:32 +0000 (UTC) Received: by qady23 with SMTP id y23so3986442qad.13 for ; Tue, 25 Sep 2012 02:36:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iKQf+LZ+EwAygXnAy3+lHYd4MI79hZkd1TdxrEYwbq4=; b=hU35xHBfTJjP4mPC2s6H//7ewJW4Ww+Gg4eTILq17z2kooEAqkeZ2JO9NeyWGhdAQI lsAbsbdmVRTbzAk9FOZiuTdV/QThOFqy2xI70ioj9sClJ4oWEmAD3N8RUwQw06kYLoet ygmTwNSXJUgkVO9QT7m9PFcrfzaQpqnSc+zaNSMVYqkiVXFQPYC8zFCXuZUmVNQ1PtN4 aMDjRhsq+tM37qXbJaybx/IPFSptsqR+9EK1Xz5uOA/o1Y6U6Svy3Q+5l4q5jKftzXdj sjZRrNj4qM601svFmQFpYZPZqfUImCkkwIEx6J1pzxXcZfoniLpw3UsjlTAbMUIfN4MU PDwA== MIME-Version: 1.0 Received: by 10.229.252.196 with SMTP id mx4mr9931489qcb.16.1348565791758; Tue, 25 Sep 2012 02:36:31 -0700 (PDT) Received: by 10.49.81.242 with HTTP; Tue, 25 Sep 2012 02:36:31 -0700 (PDT) In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> Date: Tue, 25 Sep 2012 11:36:31 +0200 Message-ID: From: Mariusz Gromada To: Ben Laurie X-Mailman-Approved-At: Tue, 25 Sep 2012 11:55:15 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, RW , Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 09:36:33 -0000 2012/9/25 Mariusz Gromada > > Empirically, it seems to me that these numbers are actually unlikely >> to be correlated with each other, but that has not been tested. >> > > > Another yes, you are right. We need much more data to check if we have a > stochastic process consisted of independent random variables. > > Here we did some initial testing, mainly based on charts, which showed typical noise in time. But again, it requires a formal proof. From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 12:06:59 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 839DA1065675 for ; Tue, 25 Sep 2012 12:06:59 +0000 (UTC) (envelope-from andrey@zonov.org) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id F02E78FC08 for ; Tue, 25 Sep 2012 12:06:58 +0000 (UTC) Received: by lbdb5 with SMTP id b5so1118lbd.13 for ; Tue, 25 Sep 2012 05:06:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:x-gm-message-state; bh=iewmxR/ynZ+qgTOGnyjMIWRHf3Cu7AOqfUtnK7Xc6Vs=; b=Absy0bBXaR4orxLZh/sL6GpSwAQATvU6ENwFqYOqOm6rLVH5KN7NjCHXowlpnv3Vru Y2SzKLDGfDnUQ/3e7Z6a6CZjlYX3TWz9aDwXtg8xtdiNSE9iKc0wVENMmYz70uqTU9Er xiYkMM2kqyZUMOUoqzEX0rTTu13RBjZudIpR3cVwBC09HyV55oX4Z+q6o66x4UjcRtpy Wakt/Z1QE/xnajD93SIOWsfYSxkuXLTPWCweaDLmbAhTNQF9YMaV0m7nSHs8UPX2bq51 ZeAA3v4wl23FmUycpQVoi3S4NELJTG7ZHYVXxsdjaZ1719mI5yZzzF9pCUbvhpCi+VHZ Kmqw== Received: by 10.112.51.174 with SMTP id l14mr5591471lbo.24.1348574817841; Tue, 25 Sep 2012 05:06:57 -0700 (PDT) Received: from dhcp170-234-red.yandex.net (dhcp170-234-red.yandex.net. [95.108.170.234]) by mx.google.com with ESMTPS id i3sm154675lbg.10.2012.09.25.05.06.56 (version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 05:06:57 -0700 (PDT) Sender: Andrey Zonov Message-ID: <50619E5D.3010503@FreeBSD.org> Date: Tue, 25 Sep 2012 16:06:53 +0400 From: Andrey Zonov User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 1.4.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA7C7F6E7966B45B80AF98925" X-Gm-Message-State: ALoCoQmowQGTjijJT/ir1HRtt7WQ1hCE54Tip4k242+HTwe7H4ExuqQURzGcJFLAce+gTteSGgFP Subject: [patch] unprivileged mlock(2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 12:07:00 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA7C7F6E7966B45B80AF98925 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Please review this patch [1] which allows unprivileged users call mlock()/munlock() and mlockall()/munlockall(). AFAIK, these calls were not allowed for every-one because accounting for mlockall(MCL_FUTURE) was not implemented. [1] http://people.freebsd.org/~zont/patches/mlock3.patch --=20 Andrey Zonov --------------enigA7C7F6E7966B45B80AF98925 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQYZ5fAAoJEBWLemxX/CvTg14H/jFKAcXtOewYy79bo+ta6ELQ ILgel1i6SqMNwi05IpUjF44ljyCNFWGdO/18B5MZt6oYZiRYKUlDlG0b6jycavrU N6NNhMHYVnhmAZzMy+HtzpcJxOaMzCWo2wHEOQ7Jn99Rit2NsCqxc1v/+jwKnmbt l5sjd2Y/xLX+BPL5OrL7VP7HnfE0h17G7TtcVMYVGcTkx4F6NXnydqrJJacHem9W y1yLUwijAX90LWUtRrVt6kXBL43dkWVriuQBcMbARpFOuOUXrBG5pVSKSz7gBjWf AduzUhL6AHWO7B0kaSa23gCGCqPrskCf/aLBKHr2G9pQqesKd2V1OQDxnRLTYFA= =/tAq -----END PGP SIGNATURE----- --------------enigA7C7F6E7966B45B80AF98925-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 16:37:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFC80106566B; Tue, 25 Sep 2012 16:37:11 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 6C20C8FC14; Tue, 25 Sep 2012 16:37:10 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 14F4D592; Tue, 25 Sep 2012 18:36:11 +0200 (CEST) Date: Tue, 25 Sep 2012 18:37:35 +0200 From: Pawel Jakub Dawidek To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20120925163735.GC1391@garage.freebsd.pl> References: <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl> <86mx0eqsgy.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dkEUBIird37B8yKS" Content-Disposition: inline In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 16:37:11 -0000 --dkEUBIird37B8yKS Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 25, 2012 at 12:58:37PM +0200, Dag-Erling Sm=F8rgrav wrote: > Pawel Jakub Dawidek writes: > > Note that this fake data is the hardest to gather entropy from, as it > > doesn't interact with any external hardware. I'm all for testing it on > > real hardware and I expect to be able to gather even more entropy from > > it (so discarding less than top 7 bits). The problem with making > > observations during boot takes much, much longer, so it will limit the > > number os samples significantly, and as you know the more samples the > > better. >=20 > I have a handful of SFF machines which support PXE. I can easily set up > an NFS root where /etc/rc just remounts / rw, dumps the data and > reboots. With a sub-minute cycle time, I can get a couple of hundred > thousand samples per machine over the weekend. That would be great. > (I don't even need PXE - they'll probably boot faster from USB sticks or > disks) And probably more reliable. My netbooted test machines occasionally don't boot and you don't want to find out in the morning that the whole process stopped at 1AM:) --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --dkEUBIird37B8yKS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBh3c4ACgkQForvXbEpPzTVKwCdFCECxe+wfQ4ivsJYT3miQWMy 7s4An3OzP2iWNAgD8Nc29k9qjyHqsaaS =/OCR -----END PGP SIGNATURE----- --dkEUBIird37B8yKS-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 18:46:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A88D7106564A; Tue, 25 Sep 2012 18:46:11 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6131B8FC14; Tue, 25 Sep 2012 18:46:11 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id DA23A62EA; Tue, 25 Sep 2012 20:46:09 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 74DF681AF; Tue, 25 Sep 2012 20:46:09 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl> <86mx0eqsgy.fsf@ds4.des.no> <20120925163735.GC1391@garage.freebsd.pl> Date: Tue, 25 Sep 2012 20:46:08 +0200 In-Reply-To: <20120925163735.GC1391@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Tue, 25 Sep 2012 18:37:35 +0200") Message-ID: <861uhqeya7.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 18:46:11 -0000 Pawel Jakub Dawidek writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > (I don't even need PXE - they'll probably boot faster from USB > > sticks or disks) > And probably more reliable. My netbooted test machines occasionally > don't boot and you don't want to find out in the morning that the whole > process stopped at 1AM:) I've had machines where PXE only worked after a power cycle. I never managed to figure out why... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 20:05:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 689F0106566C; Tue, 25 Sep 2012 20:05:51 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2508FC0A; Tue, 25 Sep 2012 20:05:50 +0000 (UTC) Received: by eekc50 with SMTP id c50so1043929eek.13 for ; Tue, 25 Sep 2012 13:05:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=NwNnfeCUO1SWxiZsXBg+2wIFgZN0UFUTMtMp5KQt7Yg=; b=EtXNvPQYVxYAm4oldlVre9hCiXb0OikhiSIDW1BsMvaW3baTaCx1akvx61rm/WWp1h NDuq3+YCyQqETMhbAHGhDtS5tDBIbrAhQELA1t9yAsOTLJ4WdYmWdH6lg771ehK3/P98 PiaD4WekDWTWHJMQwCEz4r0iOyiRRt0lhD+Gbqx/M72wnovsfk9zvrHsttiw+MkQUn4D Is6vUvjDI578xGA+rCrWYOYzbDp96kMnJXD30yuKCNFwRr1s79UNO62wHyGe+3Bvq0c8 t/vM6zKxamaY6lmgLRaCyZhHWV4iycWGazneNDsCZXbIs21n2W0ICLABBgt6MjLqY/jF prIA== Received: by 10.14.179.136 with SMTP id h8mr22154169eem.6.1348603549296; Tue, 25 Sep 2012 13:05:49 -0700 (PDT) Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86]) by mx.google.com with ESMTPS id k49sm3651570een.4.2012.09.25.13.05.46 (version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 13:05:47 -0700 (PDT) Message-ID: <50620E8E.9020501@gmail.com> Date: Tue, 25 Sep 2012 22:05:34 +0200 From: Mariusz Gromada User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com> <20120925053246.GI1413@garage.freebsd.pl> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 25 Sep 2012 21:32:45 +0000 Cc: freebsd-security@freebsd.org, RW , Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 20:05:51 -0000 W dniu 2012-09-25 11:05, Ben Laurie pisze: >> I created dummy driver which was registering three dummy drivers, so it >> was provoking three device_attach() calls on every kldload. Mariusz >> verified the observations and there was no correlation between the >> times. > > Sorry to those that are bored, but ... what was the methodology? > Ok, finally I had enough time to write something more. Try not to think about this data as a sequence of numbers a1, a2, ..., an, but rather as a sequence of random variables X(w,1), X(w,2), ...,X(w,n) – in general X(w,t) where 'w' is something similar to random event (something unpredictable) and 't' is time. In mathematics X(w,t) is called a stochastic process (or random process / time series). In our case 'w' may be interpreted as a particular machine, 't' will simply identify the sequence number of each device attach, then X(w,t) will be entropy suspected part of the final device attach time (measured in some units). Our task is to check if there are any autocorrelations in the X(w,t) process, which means checking if there are any dependencies between random variables X(w,t1) and X(w,t2) where t1 < t2. It is possible to do this using some formal statistical test (i.e.: Durbin–Watson test, Autocorrelation Random Number Test). I received form Pawel one portion of real data - 2081 observations coming from just one realization of the process. Checking autocorrelations requires data from many realizations of the process: in this case Nx2081, where each realization from 1 to N should start from the same beginning. But for dummy data we did something (With Pawel) for X(w,1), X(w,2), X(w,3) - there were generated many realizations. Finally no autocorrelations were observed. Summarizing: 1. We proved that data comes from uniform distribution (KS test) 2. We proved that there was no autocorrelation in the stochastic process consisted of 3 subsequent device attaches 3. We did graphical analysis, where typical noise was identified for much more than 3 device attaches. What else could be done: 1. Proving that there is no autocorrelations between X(w,t1) and X(w,t2) where t1 < t2. 2. Confirming results for some other architectures and devices, which means confirming results for X(w1,t), X(w2, t), ... Regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Tue Sep 25 21:39:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1502106566B for ; Tue, 25 Sep 2012 21:39:12 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 61A1A8FC14 for ; Tue, 25 Sep 2012 21:39:12 +0000 (UTC) Received: by wibhq12 with SMTP id hq12so3148890wib.13 for ; Tue, 25 Sep 2012 14:39:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=U3fzGbaU6tQ/mc9t68zGthBU1DdItdlVnhkD4eSczx4=; b=IR5/BfL/AkUXItxCXbn94wlm3Cf2L5HQnM/4W42AYW3FBG3PAt2+XAsLvyUEHgNZ5G qa/a2oL8ALpYRMS72GuOEOrZKV924npVpMyPMq2ZlpfejlSm0+ruRH1nMAd6plAKdfrO EaWZF8jbabNrd+BKXqq8HA2l/L73B7GGJVN92YMIDEHhTg9hx8Fg9NdIRxJ2+765QePS VVHEvauOM97ihUVtQKNQpMxVGPKhncOc+qI8HW4Fbv7cilcoN40Krp0P/DmratzOdAbh 59w/8zc4+oXl/OLugrFpTbPjXBRLgzVCGwBR1r1L9+N0gwTpdFNDV4e9yDJojysQc7ZG 4IkQ== Received: by 10.216.194.223 with SMTP id m73mr10382540wen.144.1348609151128; Tue, 25 Sep 2012 14:39:11 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id f10sm2834389wiy.9.2012.09.25.14.39.08 (version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 14:39:10 -0700 (PDT) Date: Tue, 25 Sep 2012 22:39:06 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120925223906.32f6597b@gumby.homeunix.com> In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 21:39:13 -0000 On Tue, 25 Sep 2012 11:36:31 +0200 Mariusz Gromada wrote: > Here we did some initial testing, mainly based on charts, which showed > typical noise in time. But again, it requires a formal proof. When you say formal proof lets be clear that you aren't actually proving anything about entropy. Entropy and randomness are two completely different concepts. Good randomness is not a requirement of an entropy source, and doesn't imply anything at all about entropy. What's actually happening here is that that observations are being made on randomness and then translated into entropy based on the assumption that an attacker can never gain any advantage over treating the timings as the product of a black box. From owner-freebsd-security@FreeBSD.ORG Wed Sep 26 04:40:26 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5ECC106566B for ; Wed, 26 Sep 2012 04:40:26 +0000 (UTC) (envelope-from mousedz23499@workoblue.33mail.com) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id A3D9F8FC0C for ; Wed, 26 Sep 2012 04:40:26 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1TGjQ4-00020l-0w for freebsd-security@freebsd.org; Tue, 25 Sep 2012 21:40:20 -0700 Date: Tue, 25 Sep 2012 21:40:20 -0700 (PDT) From: moused86799 To: freebsd-security@freebsd.org Message-ID: <1348634420023-5746974.post@n5.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 26 Sep 2012 11:47:45 +0000 Subject: Vulnerability - moused dependency on dbus-daemon - how to get rid of DBUS? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 04:40:26 -0000 one way of attacking the OS 1.search the lists http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241042.html 2.)mouse intermittent works if problem with dbus-daemon 3.)analyze - dbus-daemon is a 'relatively unknown' and extra DEPENDENCY of moused 4.)set kern.securelevel=333 5.)interrupt control of moused root /usr/sbin/moused -F 200 -A 1.5.2.0 -a 0.7 -r high -V -p /dev/psm0 -t auto 6.)alt to port /dev/psm0 - not completed so, how can anything dbus be ELIMINATED from the OS? *details using dtpstree init-+-adjkerntz |-console-kit-daemon |-devd |-moused |-dbus-daemon |-polkitd |-swapexd |-7*[getty] |-gpg-agent |-2*[gam_server] |-login---shell--sh---xinit-+-Xorg | `-fluxbox-+-terminal |-***network question: how can dbus or dbus-daemon be eliminated from the basic OS configuration for a developer workstation? Thank you. -- View this message in context: http://freebsd.1045724.n5.nabble.com/Vulnerability-moused-dependency-on-dbus-daemon-how-to-get-rid-of-DBUS-tp5746974.html Sent from the freebsd-security mailing list archive at Nabble.com. From owner-freebsd-security@FreeBSD.ORG Wed Sep 26 12:16:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 237331065673 for ; Wed, 26 Sep 2012 12:16:18 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73]) by mx1.freebsd.org (Postfix) with ESMTP id E697A8FC14 for ; Wed, 26 Sep 2012 12:16:17 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.5/8.14.5) with ESMTP id q8QCGGPc002033; Wed, 26 Sep 2012 05:16:16 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.5/8.14.5/Submit) id q8QCGGU7002032; Wed, 26 Sep 2012 05:16:16 -0700 (PDT) (envelope-from david) Date: Wed, 26 Sep 2012 05:16:16 -0700 From: David Wolfskill To: moused86799 Message-ID: <20120926121616.GA1645@albert.catwhisker.org> References: <1348634420023-5746974.post@n5.nabble.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline In-Reply-To: <1348634420023-5746974.post@n5.nabble.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability - moused dependency on dbus-daemon - how to get rid of DBUS? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 12:16:18 -0000 --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 25, 2012 at 09:40:20PM -0700, moused86799 wrote: > one way of attacking the OS > 1.search the lists > http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241042.html > 2.)mouse intermittent works if problem with dbus-daemon > 3.)analyze - dbus-daemon is a 'relatively unknown' and extra DEPENDENCY > of moused Errr... Perhaps in your configuration; perhaps also in (some) others'. But moused is part of base FreeBSD, while dbus* is not. So it is certainly possible to run moused without dbus-daemon. But as a somewhat more constructive demonstration: g1-227(10.0-C)[1] ps axwwl | egrep 'moused|dbus' 0 1461 1 0 20 0 10076 9840 select Ss - 0:00.10 /usr/sbin/= moused -a 2.7 -p /dev/psm0 -t auto 1001 7579 1855 0 21 0 10148 9280 - RL+ 7 0:00.01 egrep mous= ed|dbus g1-227(10.0-C)[2]=20 That's from my laptop, running X. While I have dbus-1.4.14_4 & dbus-glib-0.94 installed (as they are listed as dependencies for some other ports I have installed), I decline to use them. > 4.)set kern.securelevel=3D333 > 5.)interrupt control of moused > root /usr/sbin/moused -F 200 -A 1.5.2.0 -a 0.7 -r high -V -p /dev/psm0 -t > auto > 6.)alt to port /dev/psm0 - not completed Errr... Everything you're doing there already requires eUID 0 access, so I'm not sure what your concern really is. > so, how can anything dbus be ELIMINATED from the OS? g1-227(10.0-C)[8] grep dbus /etc/rc.conf* g1-227(10.0-C)[9]=20 > ... > question: how can dbus or dbus-daemon be eliminated from the basic OS > configuration for a developer workstation? Well, I believe my laptop is configured in a way that meets the stated criteria. (It has a local private mirror of the FreeBSD src, ports, & doc SVN repositories, and I track stable/9 & head on it, daily.) About the only point that comes to mind that I haven't already pointed out is the addition of a stanza: Section "ServerFlags" Option "AutoAddDevices" "False" EndSection to xorg.conf -- though there are other ways to accomplish that, as well (IIRC). Of course, I avoid these fancy "desktop environment" things; the window manager I use descends rather directly from twm (and looks like it), but it works for me (even though I know of only 2 other folks who I have seen use it -- one of whom is my spouse). Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --J/dobhs11T7y2rNN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBi8g8ACgkQmprOCmdXAD3dZQCgiMWFJVVgRDfJnPBTFJbt4NZX B2AAn3eAbw4KSH49p9tpCTh9hu1lkqkj =1KZu -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 26 13:53:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80C621065677; Wed, 26 Sep 2012 13:53:29 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:75::2]) by mx1.freebsd.org (Postfix) with ESMTP id 534748FC25; Wed, 26 Sep 2012 13:53:29 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 9B5A0B949; Wed, 26 Sep 2012 09:53:28 -0400 (EDT) From: John Baldwin To: Mariusz Gromada Date: Tue, 25 Sep 2012 17:13:00 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p20; KDE/4.5.5; amd64; ; ) References: <20120918211422.GA1400@garage.freebsd.pl> <50620E8E.9020501@gmail.com> In-Reply-To: <50620E8E.9020501@gmail.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="windows-1252" Content-Transfer-Encoding: 7bit Message-Id: <201209251713.00800.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Wed, 26 Sep 2012 09:53:28 -0400 (EDT) Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 13:53:29 -0000 On Tuesday, September 25, 2012 4:05:34 pm Mariusz Gromada wrote: > Our task is to check if there are any autocorrelations in the X(w,t) > process, which means checking if there are any dependencies between > random variables X(w,t1) and X(w,t2) where t1 < t2. Just to state an obvious fact (not sure how that impacts your analysis though): There are, of course, many dependencies among device attach routines since your total time for the attach routine for a bus is going to include all of the time it takes for attach to run on all of the child devices. That is, pci0's attach time includes the attach time of all of it's descendant devices, and a given leaf node's attach time will be accounted for in the attach time of all of its parent nodes up to the root. For example: nexus0 acpi0 pcib0 pci0 ehci0 usbus0 uhub0 uhub3 uhub4 ukbd0 In this portion of my desktop's device tree, all of the devices listed will include the time of ukbd0's attach in their respective attach times. -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Wed Sep 26 16:54:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D76E106564A; Wed, 26 Sep 2012 16:54:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 460618FC08; Wed, 26 Sep 2012 16:54:15 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id DE242666A; Wed, 26 Sep 2012 18:54:07 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 8E28982B3; Wed, 26 Sep 2012 18:54:07 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> Date: Wed, 26 Sep 2012 18:54:05 +0200 In-Reply-To: <86r4pqqwnm.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 11:28:13 +0200") Message-ID: <86sja4sp1u.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , Pawel Jakub Dawidek , John Baldwin , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 16:54:16 -0000 Dag-Erling Sm=C3=B8rgrav writes: > If you give me a couple of days, I'll try to come up with a patch that > collects and stores attach times during boot so we can gather and > analyse real data. Here's the patch, as a superset of Pawel's. The output looks like this: des@crashbox ~% sysctl -b hw.attachtimes| hexdump -C 00000000 72 61 6d 30 00 00 00 00 00 00 00 00 00 00 00 00 |ram0..........= ..| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 01 24 53 |..............= $S| 00000020 63 70 75 30 00 00 00 00 00 00 00 00 00 00 00 00 |cpu0..........= ..| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 01 4d 6c cb |.............M= l.| 00000040 63 70 75 31 00 00 00 00 00 00 00 00 00 00 00 00 |cpu1..........= ..| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 01 4d da b6 |.............M= ..| 00000060 61 74 74 69 6d 65 72 30 00 00 00 00 00 00 00 00 |attimer0......= ..| 00000070 00 00 00 00 00 00 00 00 00 00 00 00 04 59 70 8f |.............Y= p.| [...] where the first 24 bytes of each record contain the device name (dev->nameunit) and the last eight bytes contain d(cyclecount) for device_attach() as a big-endian uint64_t. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no Index: sys/dev/random/randomdev_soft.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/dev/random/randomdev_soft.c (revision 240914) +++ sys/dev/random/randomdev_soft.c (working copy) @@ -303,7 +303,7 @@ KASSERT(origin =3D=3D RANDOM_START || origin =3D=3D RANDOM_WRITE || origin =3D=3D RANDOM_KEYBOARD || origin =3D=3D RANDOM_MOUSE || origin =3D=3D RANDOM_NET || origin =3D=3D RANDOM_INTERRUPT || - origin =3D=3D RANDOM_PURE, + origin =3D=3D RANDOM_PURE || origin =3D=3D RANDOM_DEVICE, ("random_harvest_internal: origin %d invalid\n", origin)); =20 /* Lockless read to avoid lock operations if fifo is full. */ Index: sys/sys/random.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/sys/random.h (revision 240914) +++ sys/sys/random.h (working copy) @@ -45,6 +45,7 @@ RANDOM_NET, RANDOM_INTERRUPT, RANDOM_PURE, + RANDOM_DEVICE, ENTROPYSOURCE }; void random_harvest(void *, u_int, u_int, u_int, enum esource); Index: sys/kern/subr_bus.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/kern/subr_bus.c (revision 240914) +++ sys/kern/subr_bus.c (working copy) @@ -31,6 +31,7 @@ =20 #include #include +#include #include #include #include @@ -44,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -53,6 +55,7 @@ #include #include =20 +#include #include =20 #include @@ -60,6 +63,16 @@ SYSCTL_NODE(_hw, OID_AUTO, bus, CTLFLAG_RW, NULL, NULL); SYSCTL_NODE(, OID_AUTO, dev, CTLFLAG_RW, NULL, NULL); =20 +#define MAXNATTACHTIMES 128 +static struct attachtime { + char name[24]; + uint64_t delta; +} attachtimes[MAXNATTACHTIMES]; +static int nattachtimes; +SYSCTL_OPAQUE(_hw, OID_AUTO, attachtimes, CTLFLAG_RD, + &attachtimes, sizeof(attachtimes), "S,attachtimes", + "time spent in device_attach()"); + /* * Used to attach drivers to devclasses. */ @@ -2760,8 +2773,10 @@ int device_attach(device_t dev) { + uint64_t attachtime; int error; =20 + attachtime =3D get_cyclecount(); device_sysctl_init(dev); if (!device_is_quiet(dev)) device_print_child(dev->parent, dev); @@ -2784,6 +2799,15 @@ dev->state =3D DS_ATTACHED; dev->flags &=3D ~DF_DONENOMATCH; devadded(dev); + attachtime =3D get_cyclecount() - attachtime; + if (nattachtimes < MAXNATTACHTIMES) { + strlcpy(attachtimes[nattachtimes].name, dev->nameunit, + sizeof(attachtimes[nattachtimes])); + attachtimes[nattachtimes].delta =3D htobe64(attachtime); + ++nattachtimes; + } + random_harvest(&attachtime, sizeof(attachtime), 4, 0, RANDOM_DEVICE); + return (0); } =20 From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 09:49:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7E255106566B for ; Thu, 27 Sep 2012 09:49:52 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3F2758FC08 for ; Thu, 27 Sep 2012 09:49:52 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 2843D68E1; Thu, 27 Sep 2012 11:49:51 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id E2096837F; Thu, 27 Sep 2012 11:49:50 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> Date: Thu, 27 Sep 2012 11:49:49 +0200 In-Reply-To: <20120919192836.3a60cdfd@gumby.homeunix.com> (RW's message of "Wed, 19 Sep 2012 19:28:36 +0100") Message-ID: <863923pzgi.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 09:49:52 -0000 RW writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > You can't rely on the existence of a TSC. I would suggest using the > > fractional part of binuptime instead. > get_cyclecount() is supposed to be platform independent and should > fall-back to nanotime(9) if TSC or equivalent is absent. I just thought of another issue with get_cyclecount(). On machines with TSCs, its resolution varies with the CPU's speed (nominal or actual, depending on the exact model). This means that attachtime measurements have far lower resolution and therefore less entropy on slow machines than on fast ones. This doesn't mean we can't use get_cyclecount(), just that we shouldn't base our entropy estimates on data gathered on a fast system. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 09:56:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C69AB1065673 for ; Thu, 27 Sep 2012 09:56:30 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 765658FC20 for ; Thu, 27 Sep 2012 09:56:30 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2231614vbm.13 for ; Thu, 27 Sep 2012 02:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JCUFyoBL2cCC89DAbU59AMWIU/4RPHDkLjxw0tUq2F0=; b=ZsIrwYoQPEE+WFwSoSdQMXCJ0PxCJqtQ9UQ0pPzkRar+nLuWJDkcbElL63DxzqVmg/ a6q39LyTQ+dhwThSClet4qdVMPoZrH8QS01spPXSJlDfc0pSPR5HSferbqxyTsbmQ3Ee izCBwaScsowO6McaKmgzcVlULuLltY18ZphN1iW+ysFpMdYRPqHuTpGv5YdHt49PPz4R 5JzHObQHnwtQfPmbvvBcUupH764jtoSY1+5nwWUOOKEx2ob9xzIqsbf/l6fx7Yh7yOqa mToH4Puh9pdN9tSflpQ9Pr9atSdTKCMDFCevRY28oLitrRYH1ZLeMl/D2f1U2ckbRB4L Aa3w== MIME-Version: 1.0 Received: by 10.52.37.100 with SMTP id x4mr1578611vdj.56.1348739784576; Thu, 27 Sep 2012 02:56:24 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Thu, 27 Sep 2012 02:56:24 -0700 (PDT) In-Reply-To: <863923pzgi.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> Date: Thu, 27 Sep 2012 10:56:24 +0100 X-Google-Sender-Auth: 5AGXvhMgVr9_lG46xnGzgoSySFM Message-ID: From: Ben Laurie To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 09:56:30 -0000 On Thu, Sep 27, 2012 at 10:49 AM, Dag-Erling Sm=F8rgrav wrote: > RW writes: >> "Dag-Erling Sm=F8rgrav" writes: >> > You can't rely on the existence of a TSC. I would suggest using the >> > fractional part of binuptime instead. >> get_cyclecount() is supposed to be platform independent and should >> fall-back to nanotime(9) if TSC or equivalent is absent. > > I just thought of another issue with get_cyclecount(). > > On machines with TSCs, its resolution varies with the CPU's speed > (nominal or actual, depending on the exact model). This means that > attachtime measurements have far lower resolution and therefore less > entropy on slow machines than on fast ones. > > This doesn't mean we can't use get_cyclecount(), just that we shouldn't > base our entropy estimates on data gathered on a fast system. We should certainly see how things look on slow systems, but note that if the resolution is lower, then the measurements will also be smaller (assuming attachment takes similar time), and so we will claim less entropy anyway :-) From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 10:15:22 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 504E4106566C; Thu, 27 Sep 2012 10:15:22 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BF8758FC0A; Thu, 27 Sep 2012 10:15:21 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E303968ED; Thu, 27 Sep 2012 12:15:20 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 993968386; Thu, 27 Sep 2012 12:15:20 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ben Laurie References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> Date: Thu, 27 Sep 2012 12:15:20 +0200 In-Reply-To: (Ben Laurie's message of "Thu, 27 Sep 2012 10:56:24 +0100") Message-ID: <86y5jvojpj.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 10:15:22 -0000 Ben Laurie writes: > We should certainly see how things look on slow systems, but note that > if the resolution is lower, then the measurements will also be smaller > (assuming attachment takes similar time), and so we will claim less > entropy anyway :-) Ah, I forgot about Pawel's flsl() trick. You're right. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 12:00:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E5E541065670 for ; Thu, 27 Sep 2012 12:00:18 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4BDA58FC0C for ; Thu, 27 Sep 2012 12:00:03 +0000 (UTC) Received: by eaac10 with SMTP id c10so667285eaa.13 for ; Thu, 27 Sep 2012 05:00:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=GM3ANhddSByjojXd1fucQPLh+WQsO/T84IUYeu/ufqw=; b=zA73jCnshr3Wlk2CV9HnpLWN9egupiGmjIlGshqTdAMeDZzQuwed3MoESvRDe3mmH6 xU8xOfOsMSGvqvQz3eEVvx7cCEBlOw0ObhNJZAskT44dXVXw/iRncYwKprjwm7lAJmzY crugtBn+Ih4wrMxaWzvZPIK2/x+u6uL9Jj+lkn0CrAoTlSxGw50Wef4ZJ9GBB8/CwQRN zaZFLq+GirNEFcJ+pXhWnEP0Pes4o/ro6p1CuZbU3Y50iIQkVgRoZLqcP3sqpCe5cEFJ RkPAoGZvuWD+YWa9VmiK7Tp9fjxXIU+/5l+Dj+FO3n3LDpCxsVXzs+v1qfJ1MdsxQeBJ GNCQ== Received: by 10.14.211.3 with SMTP id v3mr5492112eeo.43.1348747202376; Thu, 27 Sep 2012 05:00:02 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id u47sm17114012eeo.9.2012.09.27.04.59.59 (version=SSLv3 cipher=OTHER); Thu, 27 Sep 2012 05:00:00 -0700 (PDT) Date: Thu, 27 Sep 2012 12:59:56 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120927125956.0594fa73@gumby.homeunix.com> In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 12:00:19 -0000 On Thu, 27 Sep 2012 10:56:24 +0100 Ben Laurie wrote: > On Thu, Sep 27, 2012 at 10:49 AM, Dag-Erling Sm=F8rgrav > wrote: > > RW writes: > >> "Dag-Erling Sm=F8rgrav" writes: > >> > You can't rely on the existence of a TSC. I would suggest using > >> > the fractional part of binuptime instead. > >> get_cyclecount() is supposed to be platform independent and should > >> fall-back to nanotime(9) if TSC or equivalent is absent. > > > > I just thought of another issue with get_cyclecount(). > > > > On machines with TSCs, its resolution varies with the CPU's speed > > (nominal or actual, depending on the exact model). This means that > > attachtime measurements have far lower resolution and therefore less > > entropy on slow machines than on fast ones. > > > > This doesn't mean we can't use get_cyclecount(), just that we > > shouldn't base our entropy estimates on data gathered on a fast > > system. >=20 > We should certainly see how things look on slow systems, but note that > if the resolution is lower, then the measurements will also be smaller > (assuming attachment takes similar time), and so we will claim less > entropy anyway :-) That doesn't help if the system uses binuptime(), e.g. on arm=20 static __inline uint64_t get_cyclecount(void) { struct bintime bt; binuptime(&bt); return (bt.frac ^ bt.sec); =20 } In this case it will appear to be a 18 EHz counter. From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 14:34:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 888A0106566C for ; Thu, 27 Sep 2012 14:34:24 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 47C908FC15 for ; Thu, 27 Sep 2012 14:34:24 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 81A0D6977; Thu, 27 Sep 2012 16:34:23 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 591F48408; Thu, 27 Sep 2012 16:34:23 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> <20120927125956.0594fa73@gumby.homeunix.com> Date: Thu, 27 Sep 2012 16:34:23 +0200 In-Reply-To: <20120927125956.0594fa73@gumby.homeunix.com> (RW's message of "Thu, 27 Sep 2012 12:59:56 +0100") Message-ID: <86pq57o7ps.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 14:34:24 -0000 RW writes: > static __inline uint64_t > get_cyclecount(void) > { > struct bintime bt; > > binuptime(&bt); > return (bt.frac ^ bt.sec); >=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 > } Why the heck does it xor the integer and fractional parts together? That makes no sense at all. I would have used ((uint64_t)bt.sec << 32 | bt.frac >> 32). It wraps around after 136 years' uptime, but hey, you can't win them all. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 15:25:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCE94106566C for ; Thu, 27 Sep 2012 15:25:30 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8A4868FC0C for ; Thu, 27 Sep 2012 15:25:30 +0000 (UTC) Received: by ieak10 with SMTP id k10so6601545iea.13 for ; Thu, 27 Sep 2012 08:25:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=fYZitsD1hLffzrPWMg1oGAZ/EE7rDuf/M1Hl0tPqZjI=; b=SNaGLBilQIonk1dkvf/GbRVWTVpwTi8AnzCpANqAxJiOKBtZqN3vtOrnd2bfGZF18V YHD2N2yl1cB5t21xCZovgG7GcYktzbdMgx1VWNCHm1nl9zis7bCyDwrAPScaqQuZ/12e PHcsl83iKpgBtXYLtP4yikE3JLU3cizr+EwB8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=fYZitsD1hLffzrPWMg1oGAZ/EE7rDuf/M1Hl0tPqZjI=; b=oxT9COjJHzvYYG4ieYrg3swKJLhZJtkf2/QKClejpTSW3WUthake50CngV+HoVeBU/ fEVpmb+We4/CGxjOBeEuWjNWJPphnSluPCCX9HJV67yhMXRqLnDUykCIl8zRVshw6jyH 1ML/tItXfmoAjXsE8HJoUctD2YVWX/PLsijx4wH4tUADxVFUDkFWVNUc9idSxeyWqiJz lzhXgBaDm+F+oUEp5XIk+yHm2UjtCmSUD4yJsq6VbE6PYgvkJO6Va9L5OsLagPZOy/e2 FcDSgVgzp4Lfet9Gg3+SgKRd2o7/zIIsb6ySCyKYRmSAEIqkhBR29IJas4W8D/pZTd2R Le3g== MIME-Version: 1.0 Received: by 10.50.160.228 with SMTP id xn4mr1948148igb.1.1348759529690; Thu, 27 Sep 2012 08:25:29 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.64.51.40 with HTTP; Thu, 27 Sep 2012 08:25:29 -0700 (PDT) X-Originating-IP: [2620:0:1040:201:1990:a69e:c95:8fc7] In-Reply-To: <50619E5D.3010503@FreeBSD.org> References: <50619E5D.3010503@FreeBSD.org> Date: Thu, 27 Sep 2012 16:25:29 +0100 X-Google-Sender-Auth: -kWnsa66YsL_4Zx8vR5AUYAoBVk Message-ID: From: "Simon L. B. Nielsen" To: Andrey Zonov Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQll6fdoEHLfOu7CH0GRrqE0R/+aviT15txtV160e4csw1zW9GaWAy2sRoZnGu9uLkvq8USL Cc: freebsd-security@freebsd.org Subject: Re: [patch] unprivileged mlock(2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 15:25:30 -0000 On Tue, Sep 25, 2012 at 1:06 PM, Andrey Zonov wrote: > Hi, > > Please review this patch [1] which allows unprivileged users call > mlock()/munlock() and mlockall()/munlockall(). > > AFAIK, these calls were not allowed for every-one because accounting for > mlockall(MCL_FUTURE) was not implemented. I can't comment on the implementation details (don't know much about VM system), but do you have tests to show that the new code actually works in preventing users from mlocking more than 8MB by default? -- Simon L. B. Nielsen From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 21:35:55 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B1588106566B for ; Thu, 27 Sep 2012 21:35:55 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from mail28.syd.optusnet.com.au (mail28.syd.optusnet.com.au [211.29.133.169]) by mx1.freebsd.org (Postfix) with ESMTP id 46AE38FC08 for ; Thu, 27 Sep 2012 21:35:54 +0000 (UTC) Received: from c122-106-157-84.carlnfd1.nsw.optusnet.com.au (c122-106-157-84.carlnfd1.nsw.optusnet.com.au [122.106.157.84]) by mail28.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id q8RLZg8s029563 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Sep 2012 07:35:44 +1000 Date: Fri, 28 Sep 2012 07:35:42 +1000 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86pq57o7ps.fsf@ds4.des.no> Message-ID: <20120928062245.K4426@besplex.bde.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> <20120927125956.0594fa73@gumby.homeunix.com> <86pq57o7ps.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1627825555-1348781742=:4426" Cc: freebsd-security@freebsd.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 21:35:55 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1627825555-1348781742=:4426 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Thu, 27 Sep 2012, [utf-8] Dag-Erling Sm=C3=B8rgrav wrote: > RW writes: >> static __inline uint64_t >> get_cyclecount(void) >> { >> struct bintime bt; >> >> binuptime(&bt); >> return (bt.frac ^ bt.sec); >> >> } > > Why the heck does it xor the integer and fractional parts together? > That makes no sense at all. I would have used ((uint64_t)bt.sec << 32 | > bt.frac >> 32). It wraps around after 136 years' uptime, but hey, you > can't win them all. Because most of the entropy is in the fractional part, and most of it may be in the low 32 bits that you want to discard. Even if the hardware timecounter has a low frequency, ntp adjustments at a very low rate would put more entropy in the low bits than the high bits. Scaling of the hardware timecounter will probably also make the low bits nonzero, but its rate probably won't be so low as to not stir all of the available entropy into the high bits. While booting, the seconds part will only change a few times, so the entropy in it is especially low, but your way reserves 32 bits for it. Low-end systems with no hardware cycle counters may be so slow to boot that binuptime() gives as much entropy as entropy as a faster system using a hardware cycle counter. Calling binuptime() a lot is a good way to keep them slow. The above is missing the pessimizations entropy differences that i386 has. i386 get_cyclecount() used to return rdtsc() if (tsc_present), with all calls inline. Otherwise, it used binuptime() and xor as above. Now it calls the generic cpu_ticks(), which is non-inline and further pessimized using function pointers and other methods (cpu_ticks is a function pointer ...). The entropy differences are that cpu_ticks is not affected by ntp even when it is based on a timecounter. ntp won't be running at boot time, and later some of the entropy changes that it makes are negative, since it is trying to sync with the predictable real time. bt.bt_^H^H^Hsec is also very predictable. Bruce --0-1627825555-1348781742=:4426-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 22:10:23 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A85D1065675 for ; Thu, 27 Sep 2012 22:10:23 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CCCEF8FC1F for ; Thu, 27 Sep 2012 22:10:22 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 7B5086AE5; Fri, 28 Sep 2012 00:10:16 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 4E9A98473; Fri, 28 Sep 2012 00:10:16 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bruce Evans References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> <20120927125956.0594fa73@gumby.homeunix.com> <86pq57o7ps.fsf@ds4.des.no> <20120928062245.K4426@besplex.bde.org> Date: Fri, 28 Sep 2012 00:10:15 +0200 In-Reply-To: <20120928062245.K4426@besplex.bde.org> (Bruce Evans's message of "Fri, 28 Sep 2012 07:35:42 +1000 (EST)") Message-ID: <86fw63w20o.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 22:10:23 -0000 Bruce Evans writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > RW writes: > > > binuptime(&bt); > > > return (bt.frac ^ bt.sec); > > Why the heck does it xor the integer and fractional parts together? > Because most of the entropy is in the fractional part, This is not about entropy, it's about implementing get_cyclecount() on a platform that doesn't have a TSC. It's supposed to be monotonic, and this implementation clearly isn't. Even when bt.sec is small enough that it doesn't affect significant digits of bt.frac (which should be most of the time, unless the resolution of the underlying timecounter exceeds ~2^32 Hz), get_cyclecount() will go backward every time a new second ticks over. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 23:30:53 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 88FD5106566C; Thu, 27 Sep 2012 23:30:53 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 400B88FC0A; Thu, 27 Sep 2012 23:30:53 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 03CB56B14; Fri, 28 Sep 2012 01:30:52 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id A0FA38489; Fri, 28 Sep 2012 01:30:51 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl> <86mx0eqsgy.fsf@ds4.des.no> Date: Fri, 28 Sep 2012 01:30:50 +0200 In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 12:58:37 +0200") Message-ID: <86bogrvyad.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 23:30:53 -0000 I now have two EPIAs, a laptop and a VirtualBox VM gathering data using this patch: http://people.freebsd.org/~des/software/attachtimes.diff If you want to join in, here's how to prepare a USB stick: fetch http://people.freebsd.org/~des/software/attachtimes.tgz dd if=3D/dev/zero of=3D/dev/da0 bs=3D1m count=3D1 gpart create -s gpt da0 gpart bootcode -b /boot/pmbr da0 gpart add -b 34 -s 94 -t freebsd-boot da0 gpart bootcode -p /boot/gptboot -i 1 da0 gpart add -t freebsd-ufs da0 newfs -Uj /dev/da0p2 mount -t ufs /dev/da0p2 /mnt tar zxf attachtimes.tgz -C /mnt sed -i.orig -e 's/ada0/da0/' /mnt/etc/fstab umount /mnt or a VirtualBox disk image: fetch http://people.freebsd.org/~des/software/attachtimes.tgz rm -f attachtimes.img truncate -s 4G attachtimes.img mdconfig attachtimes.img gpart create -s gpt md0 gpart bootcode -b /boot/pmbr md0 gpart add -b 34 -s 94 -t freebsd-boot md0 gpart bootcode -p /boot/gptboot -i 1 md0 gpart add -t freebsd-ufs md0 newfs -Uj /dev/md0p2 mount -t ufs /dev/md0p2 /mnt tar zxf attachtimes.tgz -C /mnt vi /mnt/boot/loader.conf # remove the ata hint umount /mnt mdconfig -d -u 0 VBoxManage convertfromraw attachtimes.img attachtimes.vdi The kernel and binaries in the tarball are 32-bit. The updated patch is at http://people.freebsd.org/~des/software/attachtimes.diff. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 27 23:43:23 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77B9A106564A for ; Thu, 27 Sep 2012 23:43:23 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from mail27.syd.optusnet.com.au (mail27.syd.optusnet.com.au [211.29.133.168]) by mx1.freebsd.org (Postfix) with ESMTP id 0B7B48FC0C for ; Thu, 27 Sep 2012 23:43:22 +0000 (UTC) Received: from c122-106-157-84.carlnfd1.nsw.optusnet.com.au (c122-106-157-84.carlnfd1.nsw.optusnet.com.au [122.106.157.84]) by mail27.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id q8RNh9Pj017466 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Sep 2012 09:43:11 +1000 Date: Fri, 28 Sep 2012 09:43:09 +1000 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86fw63w20o.fsf@ds4.des.no> Message-ID: <20120928084927.R5001@besplex.bde.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> <20120927125956.0594fa73@gumby.homeunix.com> <86pq57o7ps.fsf@ds4.des.no> <20120928062245.K4426@besplex.bde.org> <86fw63w20o.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1241331444-1348789389=:5001" Cc: freebsd-security@FreeBSD.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 23:43:23 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1241331444-1348789389=:5001 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 28 Sep 2012, [utf-8] Dag-Erling Sm=C3=B8rgrav wrote: > Bruce Evans writes: >> "Dag-Erling Sm=C3=B8rgrav" writes: >>> RW writes: >>>> binuptime(&bt); >>>> return (bt.frac ^ bt.sec); >>> Why the heck does it xor the integer and fractional parts together? >> Because most of the entropy is in the fractional part, > > This is not about entropy, it's about implementing get_cyclecount() on a > platform that doesn't have a TSC. It's supposed to be monotonic, and > this implementation clearly isn't. Even when bt.sec is small enough Its monotonicity and documentation of same is a bug. > that it doesn't affect significant digits of bt.frac (which should be > most of the time, unless the resolution of the underlying timecounter > exceeds ~2^32 Hz), get_cyclecount() will go backward every time a new > second ticks over. Its implementation demonstrates that it was never actually monotonic. Even rdtsc() isn't necessarily monotonic. Its comment in at least the i386 version still says that it "Return[s] contents of an in-cpu fast counter as a sort of "bogo-time" for random- harvesting purposes". This has rotted in various ways: - on i386 without tsc_present, it never used an in-cpu fast counter (since there is none) - on i386, without tsc_present, it now uses the generic cpu_ticks() and gets whatever that gives, which happens to be a more monotonic less bogus time that before, and which doesn't have the xor hack. - on i386, with tsc_present, it now uses the generic cpu_ticks() and gets whatever that gives, which happens to be the same in-cpu fast counter as before. It shouldn't be commenting about what cpu_ticks() [doesn't] do. - its man page says that it uses a "register available in most modern CPUs to return a value that is monotonically increasing inside each CPU", and explicitly documents that each CPU gives a separate monotonic sequence. A strict reading of this says that it doesn't exist on non-modern CPUs or on some modern CPUS. Bugs in this include: - over-specification of implementation details. Lots of bugs in the details: - at least in i386, the value isn't necessarily increasing even with in each CPU, since rdtsc() isn't serialized and maybe something resets the register. The implementation just uses rdtsc() without worrying about these points. - on more modern CPUs, the values are synced, so the sequences aren't separate. - guaranteeing monotonicity. - it is now abused for non-random-harvesting purposes, and some of these require it to be monotonic. These places mostly just want a timestamp for debugging and should be using microtime(). See one of my old mails for full details of this and more details of the bogusness of get_cyclecount(). I should have objected more strongly when it was implemented. Just using binuptime() was adequate iff the timecounter hardware is the same as the cycle counter (TSC on x86). A TSC usable for timecounter hardware is normal now. I don't like cpu_tick() either, but it solves the efficiency problem with the timecounter hardware not being the cycle counter. It solves them for use mainly in thread runtime accounting, but is usable for get_cyclecount() too, and is in fact used for get_cyclecount() on i386 (get_cyclecount() just wraps it and no one except bde cares about the inefficiency of this). cpu_tick() is undocumented, so there are no bugs in its man page to fix. Bruce --0-1241331444-1348789389=:5001-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 28 07:44:14 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB4891065673 for ; Fri, 28 Sep 2012 07:44:14 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 67D3C8FC08 for ; Fri, 28 Sep 2012 07:44:14 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E4C5A6BCB; Fri, 28 Sep 2012 09:44:12 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id B397084F0; Fri, 28 Sep 2012 09:44:12 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Bruce Evans References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> <863923pzgi.fsf@ds4.des.no> <20120927125956.0594fa73@gumby.homeunix.com> <86pq57o7ps.fsf@ds4.des.no> <20120928062245.K4426@besplex.bde.org> <86fw63w20o.fsf@ds4.des.no> <20120928084927.R5001@besplex.bde.org> Date: Fri, 28 Sep 2012 09:44:11 +0200 In-Reply-To: <20120928084927.R5001@besplex.bde.org> (Bruce Evans's message of "Fri, 28 Sep 2012 09:43:09 +1000 (EST)") Message-ID: <86ipayr3qs.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, RW Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 07:44:14 -0000 Bruce Evans writes: > I should have objected more strongly when it was implemented. So let's kill it :) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 28 08:33:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23FAD106564A; Fri, 28 Sep 2012 08:33:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CF1918FC08; Fri, 28 Sep 2012 08:33:32 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id C9CA56BE0; Fri, 28 Sep 2012 10:33:31 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 8B4DE84FC; Fri, 28 Sep 2012 10:33:31 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl> <86mx0eqsgy.fsf@ds4.des.no> Date: Fri, 28 Sep 2012 10:33:31 +0200 In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 12:58:37 +0200") Message-ID: <867grer1gk.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Jonathan Anderson , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 08:33:33 -0000 Dag-Erling Sm=C3=B8rgrav writes: > With a sub-minute cycle time, I can get a couple of hundred thousand > samples per machine over the weekend. Uh, not even close. My sleep-deprived brain substituted 86400 for 1440. I should still get 10 - 20 thousand samples, though. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 28 13:24:50 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A1441065670 for ; Fri, 28 Sep 2012 13:24:50 +0000 (UTC) (envelope-from andrey@zonov.org) Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id DBAF58FC12 for ; Fri, 28 Sep 2012 13:24:49 +0000 (UTC) Received: by lage12 with SMTP id e12so1294747lag.13 for ; Fri, 28 Sep 2012 06:24:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :x-gm-message-state; bh=5ATV68ok1bsBYH22JsGQHR20TNP+Zj5GRKiSyJBCc4o=; b=HkpNsNbng3hWM5eCoyXX3iGc8mCO4q1ws/xQMRkHHaZzJG8Y4SThKFYloBR2BsGUrK xHOT9PMDxrXaymXVkpJqZMJIeJ23uQzoewir+xlqyFgTvnQW85T8umaJcQvhRnh/8rcO xhBkZmFyKTjaLwsIWkYl2CVMf58j6bhiI+ci+W7lQT3f52RCduplJNvXmBT6GNd502EU tvhQ68AfUJ/LlLoUF2d30LD3RXK1FGcUJQeAhOR75cxB62D6IvKQ1NY+s7r1/moQdHxB vWF7ngH2jr7m4FpXwbNCbveVcQDdQE40lataugwd0XV4idKbqGgHx036dX7uMrYiG/p3 +wOQ== Received: by 10.152.111.71 with SMTP id ig7mr5998756lab.28.1348838688425; Fri, 28 Sep 2012 06:24:48 -0700 (PDT) Received: from dhcp170-82-red.yandex.net (dhcp170-82-red.yandex.net. [95.108.170.82]) by mx.google.com with ESMTPS id tb8sm2511962lab.4.2012.09.28.06.24.47 (version=SSLv3 cipher=OTHER); Fri, 28 Sep 2012 06:24:47 -0700 (PDT) Sender: Andrey Zonov Message-ID: <5065A51B.6010905@FreeBSD.org> Date: Fri, 28 Sep 2012 17:24:43 +0400 From: Andrey Zonov User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: "Simon L. B. Nielsen" References: <50619E5D.3010503@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig113F7C254FA28DBDFF7833B6" X-Gm-Message-State: ALoCoQl9BBP+jrsCf0pw1Y+yMXiA2jEmbUf+DkwdbWwv/y/doUOAishuG7KSwvD89w5PWTDfsIlV Cc: freebsd-security@freebsd.org Subject: Re: [patch] unprivileged mlock(2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 13:24:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig113F7C254FA28DBDFF7833B6 Content-Type: multipart/mixed; boundary="------------090508050401040600020903" This is a multi-part message in MIME format. --------------090508050401040600020903 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 9/27/12 7:25 PM, Simon L. B. Nielsen wrote: > On Tue, Sep 25, 2012 at 1:06 PM, Andrey Zonov wrote:= >> Hi, >> >> Please review this patch [1] which allows unprivileged users call >> mlock()/munlock() and mlockall()/munlockall(). >> >> AFAIK, these calls were not allowed for every-one because accounting f= or >> mlockall(MCL_FUTURE) was not implemented. >=20 > I can't comment on the implementation details (don't know much about > VM system), but do you have tests to show that the new code actually > works in preventing users from mlocking more than 8MB by default? >=20 Sure, test is attached. So, lock only current memory: [zont@vm020 ~/mlock]$ limits -l 50m ./mlock 1 100 mlock: rss: 138Mb; allocated: 100Mb Lock only future memory: [zont@vm020 ~/mlock]$ limits -l 50m ./mlock 2 100 mlock: calloc(): Cannot allocate memory mlock: rss: 46Mb; allocated: 33Mb and fail at about 50Mb. Now lock current and future memory: [zont@vm020 ~/mlock]$ limits -l 50m ./mlock 3 100 mlock: calloc(): Cannot allocate memory mlock: rss: 49Mb; allocated: 33Mb and fail again. The numbers are rough because I use calloc() in test. To get more precise numbers test should be rewritten to use mmap() and/or sbrk(). --=20 Andrey Zonov --------------090508050401040600020903 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0"; name="mlock.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="mlock.c" LyoKICogQ29weXJpZ2h0IChjKSAyMDEyIEFuZHJleSBab25vdgogKi8KCiNpbmNsdWRlIDxz eXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN5cy90aW1lLmg+CiNpbmNsdWRlIDxzeXMvcmVzb3Vy Y2UuaD4KI2luY2x1ZGUgPHN5cy9tbWFuLmg+CiNpbmNsdWRlIDxlcnIuaD4KI2luY2x1ZGUg PHN0ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CgppbnQKbWFpbihpbnQgYXJnYywgY2hh ciAqKmFyZ3YpCnsKCXN0cnVjdCBydXNhZ2UgcnU7CglpbnQgZmxhZ3MsIGksIG51bTsKCglp ZiAoYXJnYyAhPSAzKQoJCWVycngoMSwKCQkgICAgInVzYWdlOiBtbG9jayA8ZmxhZ3M+IDxu dW0+XG4iCgkJICAgICJmbGFnczpcbiIKCQkgICAgIgkxID0gTUNMX0NVUlJFTlRcbiIKCQkg ICAgIgkyID0gTUNMX0ZVVFVSRVxuIgoJCSAgICAiCTMgPSBNQ0xfQ1VSUkVOVHxNQ0xfRlVU VVJFIik7CgoJZmxhZ3MgPQlhdG9pKGFyZ3ZbMV0pOwoJbnVtID0gYXRvaShhcmd2WzJdKTsK CglpZiAobWxvY2thbGwoZmxhZ3MpID09IC0xKQoJCWVycigxLCAibWxvY2thbGwoKSIpOwoJ Zm9yIChpID0gMDsgaSA8IG51bTsgaSsrKSB7CgkJaWYgKGNhbGxvYygxLCAxMDI0ICogMTAy NCkgPT0gTlVMTCkgewoJCQl3YXJuKCJjYWxsb2MoKSIpOwoJCQlnb3RvIG91dDsKCQl9Cgl9 CglpZiAobXVubG9ja2FsbCgpID09IC0xKSB7CgkJd2FybigibXVubG9ja2FsbCgpIik7CgkJ Z290byBvdXQ7Cgl9CgpvdXQ6CglnZXRydXNhZ2UoUlVTQUdFX1NFTEYsICZydSk7Cgl3YXJu eCgicnNzOiAlbGRNYjsgYWxsb2NhdGVkOiAlZE1iIiwgcnUucnVfbWF4cnNzLygxPDwxMCks IGkpOwoKCWV4aXQoMCk7Cn0K --------------090508050401040600020903-- --------------enig113F7C254FA28DBDFF7833B6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQZaUdAAoJEBWLemxX/CvTLyUH/3Vpg5KgRzTwPHPEw9EGSAMG ju3TiZLWPM7P+ogJtL4CaFP8iTCiFzLpYX37vuv46pgYwn5hRV+8sEJWjksKBfhS FUgKKeQfBwZT1XSppuc2QPCxsvL/ToN/EIRe09TVVJao334ZQMqiBi4HbffE2iaI ZY/NVEdZInOui/FJhOi3mxpxm4nZSvut2E8KMiwusLJXakgTMTrsIt07EZiMCQxN WmT1fvJxgcRH3YS+oeEhxmJlu6r38lX5WV7UiP2nrNWvjYJuYTNT+Fz3BJP1tTZN jgmnQiICQT8fqQZIETluyHws+h6UX5Wr6DgfYC2eSUpzIRITWS1BESGmDST9Xlc= =qkma -----END PGP SIGNATURE----- --------------enig113F7C254FA28DBDFF7833B6--