From owner-freebsd-arch@FreeBSD.ORG Wed Feb 25 09:06:48 2015 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68AC986F; Wed, 25 Feb 2015 09:06:48 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0714737C; Wed, 25 Feb 2015 09:06:47 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id t1P96cR5047097 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Feb 2015 11:06:38 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.9.2 kib.kiev.ua t1P96cR5047097 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.9/Submit) id t1P96cDB047096; Wed, 25 Feb 2015 11:06:38 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 25 Feb 2015 11:06:38 +0200 From: Konstantin Belousov To: Harrison Grundy Subject: Re: locks and kernel randomness... Message-ID: <20150225090638.GB74514@kib.kiev.ua> References: <20150224174053.GG46794@funkthat.com> <54ECBD4B.6000007@freebsd.org> <20150224182507.GI46794@funkthat.com> <54ECEA43.2080008@freebsd.org> <20150224231921.GQ46794@funkthat.com> <1424822522.1328.11.camel@freebsd.org> <20150225002956.GT46794@funkthat.com> <2F49527F-2F58-4BD2-B8BE-1B1190CCD4D0@bsdimp.com> <54ED5656.50607@astrodoggroup.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54ED5656.50607@astrodoggroup.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: John-Mark Gurney , Alfred Perlstein , Ian Lepore , freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 09:06:48 -0000 On Tue, Feb 24, 2015 at 08:57:58PM -0800, Harrison Grundy wrote: > <... snip ...> > > The timing attack I talked to you about on IRC works like this: > > A userland process creates as many threads as there are CPUs, and by > manipulating the load they generate, gets it so they're all flagged as > interactive and at the same priority. (alternating spin and sleep with > a 2% duty cycle would work, for instance) > > It would also be possible to coerce a userland process, like apache to > behave this way. > > These threads now have the ability to preempt all timeshare tasks on > all CPUs for slice_size time, by waking up and spinning at the same > time. This means they can get very precise knowledge about scheduling, > by timing when they get to run, versus when they have to wait. Ok, this is definitely not impossible. > > By watching CPU0, one of these threads can measure balance_ticks. > > This is important because balance_ticks directly exposes the last 7 > bits it gets back from random(). (The value gets applied to > balance_interval to keep the balancer from running on exactly the same > interval) > > This means that if an attacker can trigger the use of random, or is > willing to wait long enough for a race, they can determine the value > of those bits that were passed along to anyone who called random() at > the same time. > > It also means that they can eventually discover the state of the RNG, > and predict future values. > > The security implications of disclosing the values this way isn't as > severe as it might seem, simply because random() isn't really used in > any cryptographically sensitive areas, but there are definite > consequences, like predicting firewall port values, and NFS client > transaction IDs. > > It is, however, surprising to learn that the balance_interval sysctl > has security implications. So this is an argument to remove the current random() call from the sched_balance(). There is no implications for use of e.g. get_cyclecount() in the sched_balance(), since on x86 userspace has the ability to read the underlying counter directly. On other architectures, where counter backing get_cyclecount() is not accessible to userspace, it is still feasible to use in sched_balance(), simply because counter is ticking. Do you agree with these statements ? Also, as I understand from your other responses, you did tested the patch to use get_cyclecount() on non-x86 machines ? I try to understand what testing was done for the get_cyclecount() for sched_balance() patch, i.e. is it ready for commit.