[ILUG] serious Debian/Ubuntu security hole found
colm at tuatha.org
Wed May 14 15:26:45 IST 2008
On Wed, May 14, 2008 at 10:49 AM, Michael Watterson <watty at eircom.net>
> If you reboot without power off the memory may have original contents
> If POST does some kind of memory test the memory may not be random
This is beside the point; when the OS hands a page of RAM off to a process,
it will be all-zeroes; a virtual page until it's written to, and then
physically zeroed where necessary. The buffer added to the entropy pool by
OpenSSL is an uninitialised stack buffer, which will *not* have random
contents; it will have fairly deterministic contents depending on the
previous program path. However, the *same function* is later used to add
other entropic sources to the RNG pool; when the Debian guy commented it
out, the baby got thrown out with the bathwater. FWIW, I don't think it's
as simple as "one of the removed lines was useless, the other was useful",
it is more that they are both useful at times during the program's execution
flow, even though they are also used to read uninitialised data.
Depending on design of memory, the initial state after power on may not be
> random. Actually it may never be random if enough is known of HW design.
... and it certainly won't be random by the time it's read by an ordinary OS
> It does seem indeed that two mistakes where made.
> 1) A stupid design by OpenSSL
Not stupid; it's just an additional source of hard-to-predict data which is
added to the pool by the SSL RNG, in addition to the other sources (on
Linux, /dev/urandom is used, as is the .rnd seed stored in the users'
2) A inept bug fix by Debian.
... by *a Debian contributor*. Debian is one of the largest Free Software
projects out there; it's not ideal to attribute ineptness to the whole
because of this incident. I'm sure that questions are being asked, however.
The only 100% way I know to get a really random number in a PC is a 3.3V
> zener diode (white noise generator) read by a 50 cent PIC A/D converter
> then read via USB or I2C by the OS, or whatever other A/D converter may be
> available. I use a zener for filter and frequency response testing from 10Hz
> to 2GHz. A zener feeding a wideband amplifier with a BNC socket.
The point isn't to generate "a really random number", it's "to generate a
number which is sufficiently unpredictable to render remote guessing
attempts sufficiently difficult". Sources like /dev/urandom generally make
use of entropy sources which are *extremely* difficult to replicate or guess
at, and as such are almost as good as a true physics-based RNG from the
point of view of a PKI.
Colm Buckley / colm at tuatha.org / +353 87 2469146
More information about the ILUG