From owner-freebsd-security@freebsd.org Thu Mar 16 19:26:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3C2AD0FD57 for ; Thu, 16 Mar 2017 19:26:20 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f67.google.com (mail-lf0-f67.google.com [209.85.215.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 652A512E3 for ; Thu, 16 Mar 2017 19:26:19 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f67.google.com with SMTP id y193so4070901lfd.1 for ; Thu, 16 Mar 2017 12:26:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=GlrQJNbPdzdNm/lQHuJg8aBmGprZbm+LeyFtzV3SPkk=; b=MPhD7xSxxxDrdy/yfxhx+X5tVHg+2xbJ3k9mVEgJtiG825bCBC/TvvDqc2AFKeAK2T JduDf1RfqhzJ6kgqWmgp7WXxicBk02qy43a2n4XT/7bsiL+99xQkt9A9/VlQUm2xrX6y SKLB5w4gM6YXegQpN5JbeQ3Vo43upGCbWCE4l1sFRUwzGop9oWPdJzTPuvwPkxDcVeP9 B1mUb9mDqq6ppUjvk1utGYVdU0WqXR84agusSdKYfzWnJ/D9hOXrtuPMUvTCs0CvG2ZN h4s9JmDm+FyI3hxb5smWnWzrGahjiEMIdac69OftfRGcHzZ9xbDviaWTGN/c+PG45CXJ BTpQ== X-Gm-Message-State: AFeK/H2R+BRT9I3YNzQdPQMa3evgzgpAYJhkm5KifumA0cmk/qZQosS6ra6ayMDJrDfS4A== X-Received: by 10.46.80.93 with SMTP id v29mr3137577ljd.94.1489692377938; Thu, 16 Mar 2017 12:26:17 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id s7sm1062664lja.50.2017.03.16.12.26.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Mar 2017 12:26:17 -0700 (PDT) Subject: Re: arc4random weakness To: Xin LI References: <20170313220639.GB65190@pyro.eu.org> <20170315130615.GC25448@pyro.eu.org> <5160183b-9778-59aa-6cf9-118014a588eb@freebsd.org> Cc: Steven Chamberlain , des@des.no, kostikbel@gmail.com, "freebsd-security@freebsd.org" , freebsd From: Andrey Chernov Message-ID: <8677f9d8-b326-2526-47ce-f2e18421c074@freebsd.org> Date: Thu, 16 Mar 2017 22:26:09 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2017 19:26:20 -0000 On 16.03.2017 20:24, Xin LI wrote: > On Wed, Mar 15, 2017 at 1:13 PM, Andrey Chernov wrote: >> On 15.03.2017 16:06, Steven Chamberlain wrote: >>> Also it is great to see INHERIT_ZERO was added to mmap(2)! >> >> It is not so great. For a program which forks very often zeroing even >> one page will be slowdown. It will be better and faster to implement it >> as fork syscall wrapper setting single variable, as it already done for >> threaded lib. > > I think it's exactly what it was done (and unlike a fork wrapper, the > zeroing only happens on-demand, i.e. when the page is first touched). Theo kindly explained that zeroing whole page instead of single variable suits to his newest arc4random better, since clears two structs at once (including ChaCha state), making some form of backward secrecy.