* Theodore Ts'o <ty...@mit.edu> wrote:
> It seems though the assumption that we're assuming the attacker has
> arbitrary ability to get the low bits of the stack, so *if* that's
> true, then eventually, you'd be able to get enough samples that you
> could reverse engineer the prandom state. This could take long enough
> that the process will have gotten rescheduled to another CPU, and since
> the prandom state is per-cpu, that adds another wrinkle.
Yeah.
Note that if the attacker has this level of local access then they can
probably also bind the task to a CPU, which would increase the
statistical stability of any attack. Plus with millions of system calls
per second executed in an attack, each of which system call exposes a
couple of bits of prandom state, I'm pretty sure some prandom attack
exists that can make the extraction of the full internal state probable
within the ~60 seconds reseeding interval. (Is there any research on this
perhaps, or do researchers not even bother, because this isn't really a
secure algorithm in any reasonable meaning of the word?)
Thanks,
Ingo
