tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Restricting rdtsc [was: kernel aslr]



Maxime Villard <max%m00nbsd.net@localhost> wrote:
 |Having read several papers on the exploitation of cache latency to defeat
 |aslr (kernel or not), it appears that disabling the rdtsc instruction is a
 |good mitigation on x86. However, some applications can legitimately use it,
 |so I would rather suggest restricting it to root instead.

I have used it for random noise in user space.  I don't want to
paste it, it is so ridiculous…, but then again a nice example of
user space horror – you may skip the rest at your will.

 |The idea is simple: we set CR4_TSD in %cr4, the first time an application
 |uses rdtsc it faults, we look at the creds of the lwp, if it is root we

I used it to add noise to my ARC4 random generator upon ()()/call()
time, as in

        // strong (noisy) generator?
        if(m_d.flags & f_strong) {
#if(__HAVE_RAND_CRYPTOHW)
                if(__RAND_CRYPTOHW_OK) {
                        ret = ::__sf_sys_misc_rand_Strong();
                        goto jout;
                } else
#endif
                addNoise();
        }


where this was

#if(__HAVE_RAND_CRYPTOHW)
        if(!m_d.enpy)
                goto jout;
#endif
#if(!__HAVE_RAND_NOISE)
        ep.now().setSecond(ep.second() ^ ep.microsecond())
                .setMicrosecond(_WEAK(ep.microsecond()));
        addNoise(ep.tv(), szof(Epoch::TimeVal));
#else   
        x = ::__sf_sys_misc_rand_Noise();
        stack[0] = x;
        x = _WEAK(x);
        stack[1] = x;
        addNoise(stack, szof(stack));
#endif
#if(__HAVE_RAND_CRYPTOHW)
jout:
#endif  

and that with args did a loop that used "random" bytes of the
given "stack" as noise additions to the internal entropy (and
doing one ARC4 stir after each addition).

 |What about this?

No longer of any value, it seems to me.

--steffen


Home | Main Index | Thread Index | Old Index