Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3114474yba; Tue, 16 Apr 2019 05:10:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqwgCsykBAzvgFMOBidojGdq1BZzk0Av5vY46GYXDHT4j3v/fGQhGeliBg11k8FK5P5whDMc X-Received: by 2002:a62:e418:: with SMTP id r24mr82407652pfh.52.1555416601240; Tue, 16 Apr 2019 05:10:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555416601; cv=none; d=google.com; s=arc-20160816; b=qUAeICkKoWXEtV73tizt0HAyT/cXYeh2kKPwuYGK1a721jYL+Uh0JqkP6Gh8t/ZLgp bzCVfjSzqtU5bz6EcAQo0K/7qg0RGUv+w/e7H9bPJP8JPm4E6OQyVi2hBkeSNhsS3tKt WFQ+1XYjInnExBv7VycTsA8YyGNCa0RTKIVEqN4pnWLz4HkkTRsVBCt+CKdqinSNDFni sNs9UrtznjMcMIbOWNKn6VxPlTPnx3KIfSM/Ds9gffq28rnk/dXs2XaBHt+0uxZX3ueJ b4F4yt1gbjst/zlpAk9uNfeq2BGN5fLdRw7eR1RitOsX7MO3/8tzpwKXhFJYGoU09B+X f6iA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=X+xM7T1dkmqCagpQwf3/KoRz3Labh9sfqwlLQysIDgs=; b=AS0366oRBEylc5JZ3gCZELeNI1pKPNX9z20qxfZu2/rSOGu5W3VI2Tq4pQ2xewIJEd iuYPdxTLVA9xnAKTcq4c2OGY/U+6+JBDLrlQMTWDl/uZ+nB0LmbfUGAcGYORJTeoYiHe DTZA3s2Wpw2nHz/WXVN3/RZCymwRfU91WPx0dHtHTins/Vwh/g6G5qF89sKNE4GkWvum Kea7WY8uH6c6PAHvEd4dNSAoc5cz7yHjluFF6ymtYU2dQ9xMpOOKglBerpTe9PWXWrCP 9FLEZ1BfL1o3G76h5lWCVUbebhlIxHLc7QyU/H8b86dwXIZgFwlD8A1fOdUjcC4OUNtW WlSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=UV0i+VCp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h10si46730823pgk.85.2019.04.16.05.09.45; Tue, 16 Apr 2019 05:10:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=UV0i+VCp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728945AbfDPMIv (ORCPT + 99 others); Tue, 16 Apr 2019 08:08:51 -0400 Received: from merlin.infradead.org ([205.233.59.134]:45128 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726857AbfDPMIv (ORCPT ); Tue, 16 Apr 2019 08:08:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=X+xM7T1dkmqCagpQwf3/KoRz3Labh9sfqwlLQysIDgs=; b=UV0i+VCpuUKfWm4H5NOmlhuyy qBGYoPPiKSY0WeNd+QQb6LTCxmnY7//Roe5C69oZqnu2HlNbZFsZTLoWMQhrdR0h17Y/SMYCZUw9H ETqtLNtkjrbHPYmxwgttxKaT73Hpql0yUELMg+OIBSnF3B6iI9luCxEaIEGx1aD/SYR4SqOf2W86n m6RlST2p7Klge+HQditkPQ61KnT13RLv93gpf8jAz494gmCUAhxLCB2v0Kxzjc93dgjoChNx16mMX eOAAua2jqb5MLwuCkuPZIe4Hcg7GRVjUUxxbMivEqOZhtVqP0jbGLTdbIo1bRTciU0qQX18Wpv3yS wTGBd5zmw==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1hGMsy-0002Jn-3M; Tue, 16 Apr 2019 12:08:24 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 961F728691C15; Tue, 16 Apr 2019 14:08:22 +0200 (CEST) Date: Tue, 16 Apr 2019 14:08:22 +0200 From: Peter Zijlstra To: "Reshetova, Elena" Cc: Ingo Molnar , "tytso@mit.edu" , Daniel Borkmann , "luto@kernel.org" , "luto@amacapital.net" , "linux-kernel@vger.kernel.org" , "jpoimboe@redhat.com" , "keescook@chromium.org" , "jannh@google.com" , "Perla, Enrico" , "mingo@redhat.com" , "bp@alien8.de" , "tglx@linutronix.de" , "gregkh@linuxfoundation.org" Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall Message-ID: <20190416120822.GV11158@hirez.programming.kicks-ass.net> References: <20190415060918.3766-1-elena.reshetova@intel.com> <20190415072535.GA51449@gmail.com> <2236FBA76BA1254E88B949DDB74E612BA4C4F90F@IRSMSX102.ger.corp.intel.com> <20190416073444.GC127769@gmail.com> <2236FBA76BA1254E88B949DDB74E612BA4C51962@IRSMSX102.ger.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2236FBA76BA1254E88B949DDB74E612BA4C51962@IRSMSX102.ger.corp.intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 16, 2019 at 11:10:16AM +0000, Reshetova, Elena wrote: > > > > The kernel can execute millions of syscalls per second, I'm pretty sure > > there's a statistical attack against: > > > > * This is a maximally equidistributed combined Tausworthe generator > > * based on code from GNU Scientific Library 1.5 (30 Jun 2004) > > * > > * lfsr113 version: > > * > > * x_n = (s1_n ^ s2_n ^ s3_n ^ s4_n) > > * > > * s1_{n+1} = (((s1_n & 4294967294) << 18) ^ (((s1_n << 6) ^ s1_n) >> 13)) > > * s2_{n+1} = (((s2_n & 4294967288) << 2) ^ (((s2_n << 2) ^ s2_n) >> 27)) > > * s3_{n+1} = (((s3_n & 4294967280) << 7) ^ (((s3_n << 13) ^ s3_n) >> 21)) > > * s4_{n+1} = (((s4_n & 4294967168) << 13) ^ (((s4_n << 3) ^ s4_n) >> 12)) > > * > > * The period of this generator is about 2^113 (see erratum paper). > > > > ... which recovers the real PRNG state much faster than the ~60 seconds > > seeding interval and allows the prediction of the next stack offset? > > I hope Theodore can comment on bounds here. How many syscalls we need > to issue assuming that each leaks 5 presudorandom bits out of 32 bit > presudorandom number produced by PRGN before we can predict the > PRNG output. So the argument against using TSC directly was that it might be easy to guess most of the TSC bits in timing attack. But IIRC there is fairly solid evidence that the lowest TSC bits are very hard to guess and might in fact be a very good random source. So what one could do, is for each invocation mix in the low (2?) bits of the TSC into a per-cpu/task PRNG state. By always adding some fresh entropy it would become very hard indeed to predict the outcome, even for otherwise 'trivial' PRNGs.