Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May 2015 1.

Slides:

Advertisements

Similar presentations

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Advertisements

Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.

A Non-Blocking Join Achieving Higher Early Result Rate with Statistical Guarantees Shimin Chen* Phillip B. Gibbons* Suman Nath + *Intel Labs Pittsburgh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Practical Timing Side Channel Attacks Against Kernel Space ASLR

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Section 3.2: Operating Systems Security

1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”

Dan Boneh with Monica Lam, David Mazieres, John Mitchell, and many students. Security for Mobile Devices NSF Site Visit, June 2010.

 Secure Authentication Using Biometric Data Karen Cui.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

On the (in)security of the random number generators of Linux and Windows Benny Pinkas, University of Haifa Zvi Gutterman, Leo Dorrendorf, Tzachy Reinman,

OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.

Memento: Learning Secrets from Process Footprints Suman Jana and Vitaly Shmatikov The University of Texas at Austin.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |

Entropy of Keys and Password Generation Introduction to entropy Entropy and data compression Predictability of random number generation Entropy and system.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Security and Random Number Generators

Operating Systems Who’s in charge in there?. Types of Software Application Software : Does things we want to do System Software : Does things we need.

 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

Secure Operating Systems Lesson B: Let’s go break something.

Kevin Savage Toilet Stats. Measuring usage This talk is about measuing usage What we measure How we use R to predict future usage Specific code examples.

Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

Honey Encryption: Security Beyond the Brute-Force Bound

Operating Systems COMP 4850/CISG 5550 File Systems Files Dr. James Money.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

INTERNET SAFETY FOR KIDS

Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices N. Heninger, Z. Durumeric, E. Wustrow, and J. Halderman USENIX Sec’

A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Operating Systems Engineering Based on MIT (2012, lec3) Recitation 2: OS Organization.

Wireless and Mobile Security

Final Exam Review. Common Attack Techniques Stack overflow – Basic version – Advanced versions Mitigations – Canary – W^X page – ASLR.

The question Can we generate provable random numbers? …. ?

N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.

GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS

1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.

Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Secure PSK Authentication

Designing Proofs of Human Work for Cryptocurrency and Beyond

Chapter 6 Some Parting Advice.

POPULAR POWER Security Issues of Peer-to-Peer Systems

STRONGBOX: CONFIDENTIALITY, INTEGRITY, AND PERFORMANCE USING STREAM CIPHERS FOR FULL-DISK ENCRYPTION Bernard Dickens III.

Cryptographic Hash Functions Part I

Secure PSK Authentication

Cryptography Lecture 4.

Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-

Understanding Randomness

Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices Originally from: N. Heninger, Z. Durumeric, E. Wustrow, J. A. Halderman USENIX.

Hiding Information, Encryption, and Bypasses

Elections Choose wisely, this is your chance to prove if election by popular vote works or not.

Cryptographic Hash Functions Part I

Cryptography Lecture 4.

Cryptography Lecture 3.

Announcement Sign up google sheet for in class lectures

CS Introduction to Operating Systems

Presentation transcript:

Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May

2

Android OpenSSL Firefox DNS resolver GE Ethernet card Apple iOS Sandbox

4 [Everspaugh et al., Oakland’14] [Garfinkel+Rosenblum, HotOS’05] [Goldberg+Wagner, Dobbs‘96] [Gutterman+Malkhi, CT-RSA’05] [Gutterman et al., Oakland’06] [Heninger et al., USENIX Sec’12] [Lazar et al., APSys’14] [Lenstra et al., 2012] [Ristenpart+Yilek, NDSS’12] [Yilek et al., IMC’09] In the past two years!

Why so many bugs? Bad news: OS is a big part of the problem. Randomness subsystems have: Buggy design Error-prone APIs Misleading documentation Good news: The OS can be part of the solution! 5 See paper

6 What is entropy? Why do we need it? Cryptographic secrets ASLR DNS source ports Password salts Etc. Password has k bits of [guessing] entropy w.r.t. an adversary A It takes A around 2 k guesses to guess your password ⇔

Application reads /dev/random Randomness pool

8 Once the OS has accumulated enough entropy, it will never “run out” of entropy seed 256+ bits of randomness

9 Great! But what should the OS do before it has 256 bits in the pool? After first boot….

10 State of the Art: Entropy Estimation

Ye Olde Entropy Estimator 11 State of the Art 27 bits 0111 “0111” “2.3 bits”

Ye Olde Entropy Estimator bits 1000 “1000” “0.8 bits” State of the Art

Ye Olde Entropy Estimator bits State of the Art

Ye Olde Entropy Estimator bits Block /dev/random until pool has 256+ bits X State of the Art

Ye Olde Entropy Estimator 15 Entropy is a function of adversary’s knowledge Estimate could be: 256 bits Reality could be:0 bits [Barak-Halevi CCS’05] [Dodis et al. CCS’13] [Kelsey et al., SAC‘00]

State of the Art 16 Entropy estimation Long- blocking API Entropy DoS attacks Trusted vs untrusted inputs Chaos!!! User-space randomness pools Slow accumulation /dev/random vs. /dev/urandom /dev/random vs. /dev/urandom

One Consequence: User-space Pools Reading many bytes from /dev/random can drive down entropy estimate and starve other processes 17 Kernel Space P1 User Space P2 P1 and P2 get same “random” values! [CVE , CVE , CVE , CVE ] P1 and P2 get same “random” values! [CVE , CVE , CVE , CVE ]

18 Our Proposal

Option 1: Strong Assumptions Assume low-order bit of “RDRAND” has one bit of entropy Easy! Just gather 256 samples, use them to seed a PRG What happens if your assumption is wrong? 19

20

Our Proposal Option 2: “Best-effort” entropy accumulation Never estimate Never block Any process can write into OS pool Per-process pools [See paper for details]  Honest process’ pools will eventually accumulate entropy 21 [Barak-Halevi CCS’05] [Dodis et al. CCS’13] [Kelsey et al., SAC‘00]

Conclusions Popular OSes make using randomness more difficult than it needs to be Entropy estimation is at the heart of the problem Our Proposal “Best effort” randomness Never estimate, never block 22

23