From owner-freebsd-stable@FreeBSD.ORG Thu Jan 16 19:09:18 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E1DF283F; Thu, 16 Jan 2014 19:09:17 +0000 (UTC) Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4C51D1E5C; Thu, 16 Jan 2014 19:09:17 +0000 (UTC) Received: by mail-ee0-f44.google.com with SMTP id c13so1695080eek.31 for ; Thu, 16 Jan 2014 11:09:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=L3xNtxA1p38tPe0gvem0Fav5atlx/iBHhjaC3MrQuDg=; b=s5FrLWQh5u08oigtV7TGGnaIs/VlynaNojJS9nmgU4u7LVyVcReVXtfDYe7gBIxfBn s7zQMWUk1SRstb244V+ec9uQbyEXYzWML5bUm/62HCTygdzP/EUEdJ132RMjOW8KBBM/ XidIoGUN0By+dcO6tZVFS6cR/qTlg7Psla2sOsXNUg8J57K9jfRExZ78NC225RwOIwNL qN0TdDDQHE0VqPYozv3ReTnx3jLyAlpAa606/KA7570ikznrb8No2DGl/E8IhuPbJMCH ZyeK8VSzVFInZuQpA7SohIVl14BFKwdSOkq5PoAfQ53NlJUcwGuNoTnit1/4ufJExP10 99Bg== X-Received: by 10.15.24.72 with SMTP id i48mr13880224eeu.74.1389899355646; Thu, 16 Jan 2014 11:09:15 -0800 (PST) Received: from [192.168.1.101] (45.81.datacomsa.pl. [195.34.81.45]) by mx.google.com with ESMTPSA id h3sm20586250eem.15.2014.01.16.11.09.13 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 16 Jan 2014 11:09:15 -0800 (PST) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:01.random Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=iso-8859-2 From: =?iso-8859-2?Q?Edward_Tomasz_Napiera=B3a?= In-Reply-To: Date: Thu, 16 Jan 2014 20:09:10 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201401142011.s0EKBoi7082738@freefall.freebsd.org> <52D6BF9C.8070405@bluerosetech.com> <52D6D5C7.80200@sentex.net> <52D6D93F.7020600@bluerosetech.com> To: Alan Somers X-Mailer: Apple Mail (2.1283) Cc: freebsd-stable@freebsd.org, Darren Pilgrim X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 19:09:18 -0000 Wiadomo=B6=E6 napisana przez Alan Somers w dniu 15 sty 2014, o godz. = 20:25: > On Wed, Jan 15, 2014 at 11:53 AM, Darren Pilgrim > wrote: >> On 1/15/2014 10:39 AM, Mike Tancsa wrote: >>>=20 >>> On 1/15/2014 12:04 PM, Darren Pilgrim wrote: >>>>=20 >>>>=20 >>>> 1. If you're on "bare metal", the attacker has firmware-level or >>>> physical access to the machine; >>>> 2. If you're on a hypervisor, you can't trust the hypervisor; >>>>=20 >>>> In both cases, I would think the attacker can use much simpler, = more >>>> direct vectors and you have much worse things to worry about than = the >>>> quality of /dev/random. I'm not questioning the validity of the >>>> advisory, I'm genuinely curious about this. I can't think of a = scenario >>>> were someone could attack /dev/random using this vector without 1 = or 2 >>>> above also being true. >>>=20 >>>=20 >>> Say you have a physical tap on the network upstream from the victim. = The >>> victim is exchanging data across a VPN. You can capture the = encrypted >>> traffic, and knowing there is a weakness in the quality of RNG, more >>> easily decode the encrypted traffic. You dont have to worry about >>> sending "extra" traffic from the host say, by poking around in = /dev/mem >>> etc. >>=20 >>=20 >> Yes, that's an obvious consequence of a compromised RNG; but that's = not what >> I was asking. I'm asking how the attacker could compromise the = hardware RNG >> without also obtaining effectively unfettered access to the entire = system. >=20 > By compromising it at the design stage. For example, the NSA could > hypothetically collaborate with Intel to trojan Intel's RNG. In that > case, the NSA would've compromised the RNG, but they wouldn't have > unfettered access to the rest of the system. Also this: http://people.umass.edu/gbecker/BeckerChes13.pdf "In this paper, we will therefore focus on Trojans inserted into designs at the layout level, after the place & route phase. [..] By using two = case studies, a side-channel resistant SBox implementation and an = implementation of a secure digital random number post-processing design derived from = Intel's new RNG used in the Ivy Bridge processors, we prove that the proposed dopant-based Trojans can be used e=0Eciently in practice to compromise the security". Might not apply to Intel, since it has its own fabs, but e.g. AMD = doesn't. --=20 If you cut off my head, what would I say? Me and my head, or me and my = body?