tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Restricting rdtsc [was: kernel aslr]

Maxime Villard <> wrote:
 |Having read several papers on the exploitation of cache latency to defeat
 |aslr (kernel or not), it appears that disabling the rdtsc instruction is a
 |good mitigation on x86. However, some applications can legitimately use it,
 |so I would rather suggest restricting it to root instead.

I have used it for random noise in user space.  I don't want to
paste it, it is so ridiculous…, but then again a nice example of
user space horror – you may skip the rest at your will.

 |The idea is simple: we set CR4_TSD in %cr4, the first time an application
 |uses rdtsc it faults, we look at the creds of the lwp, if it is root we

I used it to add noise to my ARC4 random generator upon ()()/call()
time, as in

        // strong (noisy) generator?
        if(m_d.flags & f_strong) {
                if(__RAND_CRYPTOHW_OK) {
                        ret = ::__sf_sys_misc_rand_Strong();
                        goto jout;
                } else

where this was

                goto jout;
#if(!__HAVE_RAND_NOISE) ^ ep.microsecond())
        addNoise(, szof(Epoch::TimeVal));
        x = ::__sf_sys_misc_rand_Noise();
        stack[0] = x;
        x = _WEAK(x);
        stack[1] = x;
        addNoise(stack, szof(stack));

and that with args did a loop that used "random" bytes of the
given "stack" as noise additions to the internal entropy (and
doing one ARC4 stir after each addition).

 |What about this?

No longer of any value, it seems to me.


Home | Main Index | Thread Index | Old Index