OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

then exploit it (if you can)

[by Anonymous Coward]

if you think its a problem, exploit it
nothing says "fix it" faster than a few thousand compromised hosts
release a PoC that gets r00t, inform the security lists and stand back
thats what full disclosure is for.

if it isnt exploitable then BSD can fix it at leisure
or if thats not quick enough and as its Open Source, YOU fix it if you are that concerned

now somebody call the whhaaambulance

Re:then exploit it (if you can)

[Jugalator (259273)]

if you think its a problem, exploit it

http://www.securityfocus.com/bid/27647

Re:then exploit it (if you can)

[Jugalator (259273)]

Wow, Slashdot ate my whole comment besides that link... A bug?

Anyway, besides rudely just posting a link like that in response, I was going to say that proof-of-concept code has at least already been published, and his point is that FreeBSD, NetBSD, DragonFlyBSD has fixes available. Apple is currently working on a fix for OS X. OpenBSD is not planning to fix this. More info can be found in my parent link.

Re:

[aliquis (678370)]

Kinda hard to make some if nothing in our world are truly random. Or is anything? Would be cool if there was an algoritm for the past, present and future of the whole universe and everything within ;D

Re:then exploit it (if you can)

[maxwell demon (590494)]

Kinda hard to make some if nothing in our world are truly random. Or is anything?

Quantum mechanics delivers true randomness, at least according to the standard interpretation.

Re:

[maxwell demon (590494)]

Well, let me try to explain.

Imagine a spin-1/2-particle (e.g. an electron). Such a particle has the peculiar property that if you measure its spin along any chosen axis, you'll always get either 1/2 ("spin up") or -1/2 ("spin down").

OK, let's assume we have just measures the spin in z direction and got +1/2. Let me first note that this is stable: If we measure the z-spin of the same particle again (assuming it didn't interact in between), we will again get +1/2 each time. That is, once we measures +1/2 in z

Re:

[evanbd (210358)]

Yeah, other sources are similar, and Zener diodes are probably the easiest devices to produce noisier versions of (and still maintain high noie quality). I mention resistors mainly because the physics behind them is the easiest to understand.

Re:then exploit it (if you can)

[orgelspieler (865795)]

I wrote a program like that once. It kept on outputting 42.

Re:

[chthon (580889)]

Because it is not part of the standard PC architecture ?

Re:then exploit it (if you can)

[digitig (1056110)]

If you're working at the level where a friend has to explain the weaknesses in a PRNG class, one you roll yourself is highly unlikely to be better. There are many algorithms out there that have been very thoroughly analysed and explored by experts, and there's going to be one out there that's easy to find and better than your hand-rolled one. And, of course, what count as "weaknesses" depends on the application. A PRNG that's great for Monte-Carlo simulation may be too predictable for cryptography. A PRNG that's sufficiently hard to predict for cryptography may be too slow for Monte-Carlo simulation.

Re:

[digitig (1056110)]

True, but if you roll one yourself, the P in PRNG no longer has a second meaning of 'predictable.'

It does if you don't do it right, and you're unlikely to do it right unless you're a cryptographic expert. Just because your algorithm isn't published doesn't mean a competent codebreaker won't be able to crack it: ahref=http://en.wikipedia.org/wiki/Security_through_obscurityrel=url2html-8229 [slashdot.org]http://en.wikipedia.org/wiki/Security_through_obscurity>.

Uh what

[Brian Gordon (987471)]

Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

Re: Uh what

[Dolda2000 (759023)]

I'm no security expert and I don't know anything about the attack vectors that he claims, so maybe I shouldn't say too much, but I do know this: TFA mentions that the PRNG is used for such fields as DNS transaction IDs and IP header fragment IDs, and these fields were never even meant to be random from the beginning. Verily so, TFA even says that {Free,Net}BSD don't even use the PRNG by default, but uses sequential numbers unless a certain sysctl is tweaked.

Thus, it is my guess that even if the attack vectors are deemed serious enough, the OpenBSD team has decided that it doesn't matter, since these protocols were never designed for security anyway, and that one should use DNSSEC and/or IPSEC (or TLS) if one actually wants to be secure (it does raise the question as to why they decided to use a PRNG for those fields from the beginning, though). My second guess is that they don't even consider the attack vectors serious, though, since they probably require a cracked router to be effective anyway.

Indeed, if they do require a cracked router, then I don't see the issue to begin with. One of the attacks was that the attacker could inject data into a TCP stream and such things, and if he has a router cracked, then I'm pretty sure he could forge all the data he wants anyway, without using any particular software attack at all, and likewise with DNS data.

Re: Uh what

[Smallpond (221300)]

The reason that they weren't designed to be secure is that noone had thought of the "DNS poisoning" attack when the protocols were designed. If they had, they would have made the ID field longer. Since it is only 16 bits, I doubt that there is any very secure way of protecting someone from guessing the next value. The paper describes a method of narrowing it down to 8 possibilities by doing ~10^9 calculations.

The exploit described in the paper doesn't require a cracked router, just a malicious website. Once you can inject fake DNS entries for bankofamerica.com or ebay.com on some ISP's DNS server, the exploit has paid for itself.

They'd more likely be used to compromise the user

[Xenographic (557057)]

DNS poisoning and the like are more likely to be used to compromise the user than his computer. After all, they can just put up their fake Bank of America clone that, thanks to poisoned DNS, is identical to the real one and steal his password.

Not everything is about compromising someone's computer.

Re:Uh what

[Zeinfeld (263942)]

Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

It is entirely believable to me. Back in 1995 I told Marc Andressen at Netscape that he had a serious problem with the random number generator used to choose session keys for SSL. There was simply not enough randomness going in for there to be 128 bits going out.

Marc had every reason to listen to me, I had broken SSL 1.0 in ten minutes when he tried to demonstrate it at MIT. But it took several weeks to drill the problem into his thick skull.

So they eventually asked me for a description of how to do the thing right.

A year later the exact same bug was discovered independently. By this time they had hired some competent crypto people. I spoke to Taher about the problem later and his explanation was that they found the design note on the PRNG which was so comprehensive that they didn't think it necessary to check the actual code.

Re:Uh what

[fulldecent (598482)]

You cracked Marc's 128-bit encryption, but your Slashdot id is 263942. Doesn't add up.

Re:Uh what

[LizardKing (5245)]

That's because he's so l33t he can pick a Slashdot id at random every time he posts.

Re:

[Zeinfeld (263942)]

You cracked Marc's 128-bit encryption, but your Slashdot id is 263942. Doesn't add up.

Marc's 128 bit encryption used a random seed with 24 bits worth of ergodicity. So it was only 24 bit secure.

And SSL 1.0 had no integrity protections whatsoever, which would have been pretty bad even if he wasn't using a stream cipher. So even if he used a 256 bit cipher it would have been broken.

What makes you think this is my only Slashdot id?

Oh and in response to the AC in the other thread, no my job title is not

Re:

[teh kurisu (701097)]

If BSD used the GPL, then Apple still wouldn't be providing a fix, because they wouldn't be using OSS at all. Neither licence is better than the other in this regard.

I don't agree with the trolling from either camp. The licence you release your code under is a matter of personal choice.

Re:

[cloricus (691063)]

Because that is why they aren't using webkit, apache, samba, cups (or employ the guy who writes it), and several others in their default install.

While I would agree with you on the matter of trolling it really gets old when BSD users trumpet it constantly where-as in my experience GPL supporters tend to realise there are limitations. Of course I'm sure it is seen the same way across the bridge.

Re:

[Richard_at_work (517087)]

Webkit is LGPL, Apache is under the Apache license, Samba is under the GPL and CUPS (sourcecode copyright, company name and other tangibles) was purchased by Apple a year ago this month (as well as hiring the main developer).

Out of the four items you mention, only one is GPL. You could have done much better to suggest such examples as GCC et al.

The great thing about the BSD license, is that when people do contribute back (and they do, even big companies like Apple), you know its because they *want* t

Software freedom is better when its inalienable.

[jbn-o (555068)]

So, in other words, the grandparent poster's point is valid and the larger more important issue remains: proprietary derivatives of non-copylefted free software uses the free software community as a market instead of treating us as equals.

The great thing about the BSD license, is that when people do contribute back (and they do, even big companies like Apple), you know its because they *want* to, not because they *have* to.

Nobody "has" to under the GPL; to the degree that what you said is true, the same is true of the GPL. Statements like yours ignore all the choices that lead up to distributing source code. There's nothing in the GPL that compels conveyance. There are only conditions in the GPL that compel source code conveyance with object code conveyance. It's trivially easy to not improve GPL-covered software or not distribute the improved version. The larger issue here is whether the free software community owes Apple anything. We don't. If they want to join us and work with us, great, if not they can write their own software. The GPL helps ensure that when people and organizations convey copies of programs they do so as equals. NeXT (now owned by Apple) already tried distributing GCC derivative software without distributing complete corresponding source code when GCC was under GPLv2. It made NeXT look like an ass and put them at risk of being able to distribute GCC at all. NeXT later rectified the situation by distributing complete corresponding source code in compliance with GPLv2.

Re:

[saleenS281 (859657)]

Great argument, except none of the above are essential to their operating system, which is why they picked them up with a gpl license. It doesn't really matter if the source to any of those are shared or not.

Oh, and captain hater, last time I checked, the fix would be shared [apple.com].

Re:

[molarmass192 (608071)]

... and if Apple wasn't using OSS at all, I'd bet that they'd be selling quite a few less laptops and desktops. I know I wouldn't have bought three laptops over the past 2 years. I also know several people who would not have gone the OS X route. GCC / FreeBSD / GNU are very strong selling points for Apple that they didn't have with OS 9. On that note, I think you're right to a large extent, if it came down to a choice between the GPL or closed source, I have a gut feeling Apple would have tried the close ro

Re:

[Sancho (17056)]

People have different opinions on how things should be. When it's their license and their code, they get to decide. Nonetheless, maybe you should contact the Open Source Initiative. They're an organization which collects licenses and "certifies" them as to their openness. BSD's license is listed as open source.

http://www.opensource.org/licenses/bsd-license.php [opensource.org]

Re:

[cmaxx (7796)]

Nuhuh. This is because the BSD license is semantically freer than GPL in precisely this case:

Apple are free to release their putative fix to the community, or not - their free choice. That's one more freedom, relative to being obliged to release any changes they make which lead to a binary release outisde of Apple, which the GPL would oblige.

There are plenty of folk who see that as a feature not a flaw.

Re:

[timrichardson (450256)]

And besides, if computing moves away from code executing on local CPUs and onto central servers to be accessed by web clients (the "cloud"), than even GPL code modified by,for example, Google is not distributed, so the patches are not mandatorily available under GPL either.

Re:Uh what ... yeah

[Goaway (82658)]

Being given something is not a freedom. It may be a good thing, but stretching the definition of "freedom" to include that renders term almost entirely meaningless.

Don't conflate "things you want" with "freedom", please.

Re:

[ShieldW0lf (601553)]

It's about the developers freedom and the users freedom. The developer is free of leverage, and can act as they wish. The user is free of leverage, and can act as they wish. They're not allowed to use the legal system to enforce leverage around the code, obviously. But that doesn't prevent them doing anything they wish with the code, it just prevents them being bastards via the legal system.

GPL has the same flaw, ya know.

[Animaether (411575)]

say Google fixes something in a GPLed project that they're -not- distributing. Then GPL fans can't automatically get the fix because, hey, the GPL license*!

( * which only says something about making the code, and thus the fix, available if the code, or compiled version thereof, is distributed. )

The difference is trivial, isn't it. In both cases an existing fix would not automatically be contributed back.

Why this is so bad: DNS cache poisoning

[by Anonymous Coward]

DNS cache poisoning [wikipedia.org]

OpenBSD secure?!

[darkob (634931)]

This most certainly WILL have impact on OpenBSD's status as "secure" OS. Indeed, OpenBSD claims to have "proactive" approach towards security whereas this issue should and will diminish some of the OpenBSD's "security goodwill".

Oh for Bob's sake!

[Chas (5144)]

When the PRNG in WINDOWS is shown to be vulnerable (because it's a actually static value), it's a horrendous problem.

But when the PRNG for a non-MS operating system is shown to have a similar (but not identical) problem, it's "irrelevant"?

Strike 2, OpenBSD.

[Neillparatzo (530968)]

OpenBSD is on a fast track to losing its most favored secure OS status if they keep this up.

First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

Now they're refusing to address a weakness in their network stack (despite the other BSDs addressing it), again with the implication that everybody should just jump to IPSEC. What if you're in a situation where an IPSEC rollout is impractical or impossible?

Whatever happened to defense in depth? Whatever happened to "secure by default"? Whatever happened to constructive paranoia, such as randomizing of libc addresses, that was unlikely to have any real impact on security but was a nice extra, just in case? Why must I now upgrade to NetBSD to get security features that are lacking in OpenBSD? Isn't the shoe on the wrong foot?

What happened? Was there a change of management? Is OpenBSD under the thumb of a douchebag patch manager lately? Is this going to go away at some point? Those of us that sleep with OpenBSD firewalls like a gun under our pillow are taking notice.

Re:

[by Anonymous Coward]

First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

Umm, they're completely correct to take this stance. WPA is far inferior to IPSEC, security-wise. It's OpenBSD's job to help insulate you from insecure technologies. We could easily say, "Just because FreeBSD allows one-character passwords, OpenBSD should, too!" And you know what? We'd be wrong to think in that way.

What happened? Was there a change of management? Is OpenBSD

Re:Strike 2, OpenBSD.

[by Anonymous Coward]

IPSec is OSI layer three, WPA is layer two. Accordingly, they are not substitutes for each other; they are compliments.

So, OpenBSD is refusing to put a locking mechanism on the doorknob because it wants to make people use a deadbolt. Me, I'd want both; if it turns out my deadbolt had a defect and thus easily defeated, the doorknob lock would at least provide some security.

Theo is slow to change, but he will.

[argent (18001)]

Theo has refused to implement other 'foreign' security changes in OpenBSD when they were first introduced, then turned around and implemented them after a while. He was contemptuous towards non-execute stacks when I spoke with him at Usenix many years ago, because he was convinced OpenBSD's code review policy made it irrelevant and because no-execute didn't stop all stack smashing attacks... but OpenBSD eventually picked it up.

Basically, he's very conservative, very resistant to change, and don't forget that's one of the things that made OpenBSD what it was to begin with... but if it really matters he'll come around.

Re:

[styrotech (136124)]

First they refused to implement WPA

From my impression that is an overstatement. OpenBSD will get WPA when someone writes it well enough for it to get in. Although the current devs don't want to write it themselves (as they don't feel they need it), they have left the door open for someone else to write it.

"doesn't provide real security" and "just use IPSEC" aren't reasons why it won't get in at all but reasons why that particular developer(s) isn't going to bother writing it themselves. OpenBSD is probably

Re:

[Breakfast Pants (323698)]

It isn't that they just flippantly refuse these things to be assholes, they have extremely limited resources and they have to make tradeoffs.

They're doctrinaire, sure

[Theatetus (521747)]

But they tend to have a point. They are right, ultimately, that the transport level is the "correct" level for security. WEP and WPA are both, ultimately, kind of pointless in that a determined attacker will be able to compromise them. It's just that WPA prevents a large class of casual attacks that WEP doesn't. In theory, yes, someone concerned about secure network traffic will secure that traffic at the transport level -- the problem is that if you don't control both sides of the transaction, transport-

Code excerpt for the curious...

[davidbrit2 (775091)]

http://xkcd.com/221/ [xkcd.com] Oh hush, you knew somebody would post it.

Why doesn't software trust /dev/[u]random ?

[m.dillon (147925)]

After the Nth time someone as approached me talking about flaws in BIND's random number generator I just have to ask myself, why the hell do the bind people, with no real cryptographic knowledge, think they can write their own? Bind doesn't seem to even have an option to use the OS's PRNG.

I had an interesting discussion with Amit regarding all the hacks people (including the Bind people) do to try to roll their own random number generator and it prompted me to review our own IP randomization code (and the 'off' default). After review I was decidedly uneasy about its secureness, mainly because it was trying to use an algorithmically generated cycle for a tiny namespace (16 bits, actually 15 the way it was coded). The problem with the IP sequence space is that you can't just randomize it, you also have to ensure that sequence numbers are not immediately repeated. DNS has similar issues.

I gave up trying to improve the algorithm and decided to throw in the towel and allocate 128KB of memory to do a look-ahead running shuffle of the 65536 possible sequence number using the system's PRNG. It's not possible to do better then that, frankly. We also decided to turn on ip randomization by default.

So that brings me back to the question: Why the hell doesn't bind have an option to use the system PRNG? Not all systems have a good random number generator, but I trust ours far more then the junk coded into bind. For that matter, I don't really mind if bind ate another 128K of memory to secure its own sequence space, if that is what it takes.

I know enough about cryptology to know that I am not a cryptographer. But regardless of that, I can still get a good feel for someone else's code and what BIND does scares me. The y need to change their code to default to something more secure, even if it is memory intensive. If they want to give their users the option to use the less memory intensive algorithm that's fine with me, but the default needs to be more secure.

DNS has its own design issues, but that is no excuse for software to exasperate them.

-Matt

Re:So much for high security

[norton_I (64015)]

If it isn't actually a security risk (I have no idea if it is or not), the most secure thing to do is to not "fix" it. Changing code always carries the risk of introducing security problems.

The OpenBSD guys are pretty defensive about security. If they say it is not a problem, I am inclined to believe them.

Re:

[Metzli (184903)]

I may be wrong, but I don't remember anyone claiming that OpenBSD is the "highest security OS." The last I checked, it wasn't on the list for A1. It's likely to be one of the most secure open source operating systems, but it's by no means the ultimate.

Re:If the OpenBSD devs say it isn't a security fla

[by Anonymous Coward]

>If the OpenBSD developers say this isn't a security concern, I've got 100% confidence that they are correct.

I see you don't remember how OpenBSD developers downplayed remote root vulnerability in mbuf code, until COREsecurity gived them working exploit :].
And this is that mega randomness with what OpenBSD team was so proud :] LOL.

Re:What??

[Jugalator (259273)]

The flaw in the PRNG is not exploitable. Not unless you are root on the local machine and have the ability to stop all other processes.

Wait.. what?

This could potentially provide a platform for attacks involving prediction of IP sequences and thus TCP data injection attacks.

Where is a local machine access required for that? It could provide attacks on the network traffic itself, by merely knowing which operating systems are involved in it.

Re:

[yakumo.unr (833476)]

If flawed, predictable PRNG code is so 'irrelevant in the real world' why does even Microsoft seek to improve upon it?

"Strengthens the cryptography platform with a redesigned random number generator, which leverages the Trusted Platform Module (TPM), when present, for entropy and complies with the latest standards. The redesigned RNG uses the AES-based pseudo-random number generator (PRNG) from NIST Special Publication 800-90 by default. The Dual Elliptical Curve (Dual EC) PRNG from SP 800-90 is also availa

Re:

[ivan256 (17499)]

Where do you think the data for /dev/urandom comes from? It's a pseudo-random number generator unless you've got a hardware random number generator, but even that probably uses a pseudo-random algorithm.

Re:

[Adam Hazzlebank (970369)]

Where do you think the data for /dev/urandom comes from? It's a pseudo-random number generator unless you've got a hardware random number generator

It's my understanding that urandom often uses data from interrupts, keyboard input, device controllers etc. to increase the entropy of the random numbers it produces.

hardware random number generator, but even that probably uses a pseudo-random algorithm.

Hardware random number generators are not considered pseudo-random. As I understand it they usually ampli