On Sat, May 11, 2019 at 03:45:19PM -0700, Andy Lutomirski wrote: > ISTM maybe a better first step would be to make get_random_bytes() be > much faster? :)
I'm not opposed to that, but I want to make sure we don't break it for "real" crypto uses... I still think just using something very simply like rdtsc would be good enough. This isn't meant to be a perfect defense: it's meant to disrupt the ability to trivially predict (usually another thread's) stack offset. And any sufficiently well-positioned local attacker can defeat this no matter what the entropy source, given how small the number of bits actually ends up being, assuming they can just keep launching whatever they're trying to attack. (They can just hold still and try the same offset until the randomness aligns: but that comes back to us also needing a brute-force exec deterance, which is a separate subject...) The entropy source bikeshedding doesn't seem helpful given how few bits we're dealing with. -- Kees Cook
