Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jan 2014 20:09:10 +0100
From:      =?iso-8859-2?Q?Edward_Tomasz_Napiera=B3a?= <trasz@FreeBSD.org>
To:        Alan Somers <asomers@FreeBSD.org>
Cc:        freebsd-stable@freebsd.org, Darren Pilgrim <list_freebsd@bluerosetech.com>
Subject:   Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:01.random
Message-ID:  <E7EB3D19-13E6-481D-B724-0DFF10FFBBCF@FreeBSD.org>
In-Reply-To: <CAOtMX2in=E67i-jXoBX=aU3L7az3so45ojBrNVM%2BO222DyjJ2Q@mail.gmail.com>
References:  <201401142011.s0EKBoi7082738@freefall.freebsd.org> <52D6BF9C.8070405@bluerosetech.com> <52D6D5C7.80200@sentex.net> <52D6D93F.7020600@bluerosetech.com> <CAOtMX2in=E67i-jXoBX=aU3L7az3so45ojBrNVM%2BO222DyjJ2Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Wiadomość napisana przez Alan Somers w dniu 15 sty 2014, o godz. 20:25:
> On Wed, Jan 15, 2014 at 11:53 AM, Darren Pilgrim
> <list_freebsd@bluerosetech.com> wrote:
>> On 1/15/2014 10:39 AM, Mike Tancsa wrote:
>>> 
>>> On 1/15/2014 12:04 PM, Darren Pilgrim wrote:
>>>> 
>>>> 
>>>> 1. If you're on "bare metal", the attacker has firmware-level or
>>>> physical access to the machine;
>>>> 2. If you're on a hypervisor, you can't trust the hypervisor;
>>>> 
>>>> In both cases, I would think the attacker can use much simpler, more
>>>> direct vectors and you have much worse things to worry about than the
>>>> quality of /dev/random.  I'm not questioning the validity of the
>>>> advisory, I'm genuinely curious about this.  I can't think of a scenario
>>>> were someone could attack /dev/random using this vector without 1 or 2
>>>> above also being true.
>>> 
>>> 
>>> Say you have a physical tap on the network upstream from the victim. The
>>> victim is exchanging data across a VPN. You can capture the encrypted
>>> traffic, and knowing there is a weakness in the quality of RNG, more
>>> easily decode the encrypted traffic.  You dont have to worry about
>>> sending "extra" traffic from the host say, by poking around in /dev/mem
>>> etc.
>> 
>> 
>> Yes, that's an obvious consequence of a compromised RNG; but that's not what
>> I was asking.  I'm asking how the attacker could compromise the hardware RNG
>> without also obtaining effectively unfettered access to the entire system.
> 
> By compromising it at the design stage.  For example, the NSA could
> hypothetically collaborate with Intel to trojan Intel's RNG.  In that
> case, the NSA would've compromised the RNG, but they wouldn't have
> unfettered access to the rest of the system.

Also this: http://people.umass.edu/gbecker/BeckerChes13.pdf

"In this paper, we will therefore focus on Trojans inserted into designs
at the layout level, after the place & route phase. [..] By using two case
studies, a side-channel resistant SBox implementation and an implementation
of a secure digital random number post-processing design derived from Intel's
new RNG used in the Ivy Bridge processors, we prove that the proposed
dopant-based Trojans can be used eciently in practice to compromise
the security".

Might not apply to Intel, since it has its own fabs, but e.g. AMD doesn't.

-- 
If you cut off my head, what would I say?  Me and my head, or me and my body?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E7EB3D19-13E6-481D-B724-0DFF10FFBBCF>