Entropy Problems For Linux In the Cloud

CalTrumpet writes "Our research group recently spoke at Black Hat USA on the topic of cloud computing security. One of the interesting outcomes of our research was the discovery that the combination of virtualization technologies and public system images results in a problem for random number generation on guest operating systems. This is especially true for Linux, since its PRNG uses only a small set of entropy-gathering events, and virtual Linux images often generate SSH host keys within seconds of their initial boot. The slides are available; the PRNG vulnerability material begins at slide 63."

Re:Another advantage for TPM chips...

[iYk6]

Or you could plug in a microphone.

Surely Not.

[lobiusmoop]

Generating SSH keys involves interaction via at least keyboard and possibly mouse at a terminal. Surely that basic permise is enough to provide enough entropy for the pseudo-random generator. Also, the date and time (as sources of random) can't be virtualized of course.

Re:Why is this done in software at all?

[bradkittenbrink]

That's like asking "Why can't they add a DWIM opcode to the instruction set?"

Linux has a paravirtual entropy driver

[Anthony Liguori]

CONFIG_HW_RANDOM_VIRTIO enables it. It's been there for quite a while.

We could easily support it in KVM but I've held back on it because to really solve the problem, you would need to use /dev/random as an entropy source. I've always been a bit concerned that one VM could starve another by aggressively consuming entropy.

lguest does support this backend device though.

Support via "Guest Additions"?

[Just Brew It!]

Seems to me this could be solved via the "Guest Additions" module that most virtualization packages recommend you install in the guest OS. Use the GA to inject some entropy from the host system into the guest system's entropy pool. The host CPU's TSC register would probably be an excellent source.

Re:Why is this done in software at all?

[Timothy Brownawell]

Why can't the CPU contain a register which holds a random number which is updated with every clock cycle?

First, the cost of computing truly random numbers is way too high for that

Computers are deterministic. Truly random numbers cannot be computed, they can only be provided by special hardware (something that can measure shot noise or thermal noise, a camera pointed at a lava lamp, a movement detector in Schrodinger's cat's box).

Secondarily, if your PRNG algorithm is broken, you're stuck replacing the hardware.

That's why you don't do pseudo-random numbers, but real randomness from thermal noise or shot noise or some other quantum effect (cats and lava lamps don't fit on ICs).

That said, hardware PRNG is provided in many modern systems by a TPM.

And at some level, the randomness generator on the TPM almost certainly has an interface of "read this special register every X clock cycles" (because how else would you interface with your special hardware?).

It lacks the performance problems associated with your solution, since it only generates random numbers on demand.

If it's implemented in hardware (as it must be, to get true randomness), it's always running and there is no "on demand".

It still has the problem of a potential exploit being discovered leading to expensive hardware upgrades, but to my knowledge that has not been a problem to date.

That would be because it's a RNG instead of a PRNG.

Re:Why is this done in software at all?

[bradkittenbrink]

So, I was mostly just giving him shit because of his name. If you want a more serious debate, here's my best shot: The instructions you described are all relatively easy to define a generally useful specification. My main point was that every application has differing standards of randomness that are required. Do you need real quantum-mechanical randomness, or just a CSPRNG? How many bits of random data do you need, and how frequently? I'm assuming that the request is for real quantum-mechanical randomness. I find it hard to imagine defining a good spec for such hardware component, especially since the vast majority of applications don't actually require quantum-mechanical randomness, and the ones that do are likely to have very specific requirements. Anyways, besides the fact that it's tough to come up with good requirements for such a feature, I bet it's really tough to implement as well. I know just barely enough about about hardware implementations to be dangerous, so someone who knows for real, please correct me if I'm wrong. Anyways, circuits that exhibit quantum-mechanical randomness are, as far as I know, essentially the same as circuits that cause metastability [wikipedia.org] in transistors. Because of the need to control for such problems, implementing such circuits on the same die as a normal digital circuit would likely be very expensive in terms of both die area and yield.

Re:evidence that cloud is a fad?

[jellomizer]

It is a tool in the bucket. That what it is. There will be a huge growth spurt, then they realize that it won't solve everything. Then they will cut back and still use it until they find something better.

No one wants to make money off the Interwebs!

[zullnero]

"The term cloud computing is useless" said Stamos. "It's way overused. It's mostly about gathering venture capital or selling your products."

Yes. Because no one on the Internet has any use for gathering venture capital or selling products.

It IS an overused term, but you're not testing some product or how people are using it, you're really just testing the security models of various operating systems to determine which are more ready to support those concepts that people grouped together and called "cloud computing". There were a lot of various concepts that were grouped together that comprised the "Net 2.0" concept too...and that cliche was just as derided for being overused. And yet, websites that aren't all ajaxed up or don't use css seem pretty old-fashioned these days.

That said, the question I have is how ready for those "cloud computing" concepts is Windows, really? How much of that security model is using the proper approach to securing a transaction instead of just shutting down that path altogether?

Re:Here's a novel RNG

[Anonymous Coward]

Care must be taken when joking on Slashdot. It's not your fault, but you probably should have linked to Avogadro's Number [wikipedia.org] in your first post. Even dead simple jokes must be sufficiently documented to avoid getting modded down.

Re:Much ado about nothing.

[jamesh]

Interesting that both Dilbert (years ago) and xkcd (more recently) both contain a comic with a similar joke...

Re:Another advantage for TPM chips...

[profplump]

First, real-world images are not very random just be virtual of being part of the real world; random things also need to happen. This is particularly mostly-static images like you'd see in 24/7 web cams -- there is not much entropy available.

Second, most of the reason we want random data for seeing purposes is because the seed needs to be something an attacker cannot derive. The output of truly random number generator cannot be predicted by a remote attacker, but publicly available video streams most certainly can, so any source that sends the same data to more than one person is not suitable for things like cryptography. Frankly that's the whole point of the article; if there are many VMs on the same host, or many real hosts on the same hardware and network, started at the same time, and using the same source for entropy they will all generate the same "random" number.

Finally, this is a well-solved problem. Many CPUs and motherboards include a hardware RNG that is perfectly sufficient both in terms of randomness and speed for typical PRNG seeding needs. VIA has had one directly in all their CPUs for a long time, Intel includes one in their firmware hubs, and I'm sure there are similar options on most other architectures. Using that on-board RNG to individually seed each VM/host would solve the problem described in the article. There's no reason to try to invent ways to get random data unless you have very specific requirements not met by the existing solutions, as you're quite likely to come up with something inferior either in design or implementation.

Re:Eh?

[ledow]

A bold assertion. I assume you're thinking of TCP sequence numbers or similar. Otherwise, I call bullshit on the "ANY".

And the entropy provided by being connected to a network in any way, shape or form is enough for that purpose.

Even in general, unless you're generating LOTS of SSH/SSL keys on some kind of automated process schedule, you're fine, and that's the sort of task that should be pushed out to a dedicated entropy machine.

Otherwise, every ADSL router etc. in the WORLD would be worthless - no keyboard, no mouse, no disk interrupts, etc. and yet they run full TCP stacks that hold the majority of the world's home connections. The fact is that it's just not as big an issue as you think it is.

Re:Another advantage for TPM chips...

[muckracer]

> There's no reason the host can't export that same /dev/random to the guest;
> certainly to ensure there is sufficient entropy on startup.

Wouldn't the low-budget solution to this entire issue be the simple deferral of SSH key creation and the like for a few minutes past the initial boot-up?