Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May 2015 1.

Published byDarren Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May 2015 1."— Presentation transcript:

1 Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May 2015 1

2 2

3 Android OpenSSL Firefox DNS resolver GE Ethernet card Apple iOS Sandbox

4 4 [Everspaugh et al., Oakland’14] [Garfinkel+Rosenblum, HotOS’05] [Goldberg+Wagner, Dobbs‘96] [Gutterman+Malkhi, CT-RSA’05] [Gutterman et al., Oakland’06] [Heninger et al., USENIX Sec’12] [Lazar et al., APSys’14] [Lenstra et al., 2012] [Ristenpart+Yilek, NDSS’12] [Yilek et al., IMC’09] In the past two years!

5 Why so many bugs? Bad news: OS is a big part of the problem. Randomness subsystems have: Buggy design Error-prone APIs Misleading documentation Good news: The OS can be part of the solution! 5 See paper

6 6 What is entropy? Why do we need it? Cryptographic secrets ASLR DNS source ports Password salts Etc. Password has k bits of [guessing] entropy w.r.t. an adversary A It takes A around 2 k guesses to guess your password ⇔

7 01001101000100 7 Application reads /dev/random Randomness pool

8 8 Once the OS has accumulated enough entropy, it will never “run out” of entropy 011010100101110010101111011000011010111 seed 256+ bits of randomness

9 9 Great! But what should the OS do before it has 256 bits in the pool? After first boot….

10 10 State of the Art: Entropy Estimation

11 Ye Olde Entropy Estimator 11 State of the Art 27 bits 0111 “0111” “2.3 bits”

12 Ye Olde Entropy Estimator 12 29.3 bits 1000 “1000” “0.8 bits” State of the Art

13 Ye Olde Entropy Estimator 13 30.1 bits State of the Art

14 Ye Olde Entropy Estimator 14 30.1 bits Block /dev/random until pool has 256+ bits X State of the Art

15 Ye Olde Entropy Estimator 15 Entropy is a function of adversary’s knowledge Estimate could be: 256 bits Reality could be:0 bits [Barak-Halevi CCS’05] [Dodis et al. CCS’13] [Kelsey et al., SAC‘00]

16 State of the Art 16 Entropy estimation Long- blocking API Entropy DoS attacks Trusted vs untrusted inputs Chaos!!! User-space randomness pools Slow accumulation /dev/random vs. /dev/urandom /dev/random vs. /dev/urandom

17 One Consequence: User-space Pools Reading many bytes from /dev/random can drive down entropy estimate and starve other processes 17 Kernel Space P1 User Space P2 P1 and P2 get same “random” values! [CVE-2013-1445, CVE-2013-3599, CVE-2014- 0016, CVE-2014-0017] P1 and P2 get same “random” values! [CVE-2013-1445, CVE-2013-3599, CVE-2014- 0016, CVE-2014-0017]

18 18 Our Proposal

19 Option 1: Strong Assumptions Assume low-order bit of “RDRAND” has one bit of entropy Easy! Just gather 256 samples, use them to seed a PRG What happens if your assumption is wrong? 19

20 20

21 Our Proposal Option 2: “Best-effort” entropy accumulation Never estimate Never block Any process can write into OS pool Per-process pools [See paper for details]  Honest process’ pools will eventually accumulate entropy 21 [Barak-Halevi CCS’05] [Dodis et al. CCS’13] [Kelsey et al., SAC‘00]

22 Conclusions Popular OSes make using randomness more difficult than it needs to be Entropy estimation is at the heart of the problem Our Proposal “Best effort” randomness Never estimate, never block 22

23 23

Download ppt "Recommendations for Randomness in the Operating System Henry Corrigan-Gibbs and Suman Jana Stanford University HotOS XV – 20 May 2015 1."

Similar presentations

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.

Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.
A Non-Blocking Join Achieving Higher Early Result Rate with Statistical Guarantees Shimin Chen* Phillip B. Gibbons* Suman Nath + *Intel Labs Pittsburgh.

A Non-Blocking Join Achieving Higher Early Result Rate with Statistical Guarantees Shimin Chen* Phillip B. Gibbons* Suman Nath + *Intel Labs Pittsburgh.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Practical Timing Side Channel Attacks Against Kernel Space ASLR

Practical Timing Side Channel Attacks Against Kernel Space ASLR
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”

1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
Dan Boneh with Monica Lam, David Mazieres, John Mitchell, and many students. Security for Mobile Devices NSF Site Visit, June 2010.

Dan Boneh with Monica Lam, David Mazieres, John Mitchell, and many students. Security for Mobile Devices NSF Site Visit, June 2010.
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
On the (in)security of the random number generators of Linux and Windows Benny Pinkas, University of Haifa Zvi Gutterman, Leo Dorrendorf, Tzachy Reinman,

On the (in)security of the random number generators of Linux and Windows Benny Pinkas, University of Haifa Zvi Gutterman, Leo Dorrendorf, Tzachy Reinman,
OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.

OS Fall ’ 02 Performance Evaluation Operating Systems Fall 2002.
Memento: Learning Secrets from Process Footprints Suman Jana and Vitaly Shmatikov The University of Texas at Austin.

Memento: Learning Secrets from Process Footprints Suman Jana and Vitaly Shmatikov The University of Texas at Austin.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |

Similar presentations

Ads by Google