Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

2014 IEEE Symposium on Security and Privacy Pub Date : 2014-05-18 DOI:10.1109/SP.2014.42

A. Everspaugh, Yan Zhai, Robert Jellinek, T. Ristenpart, M. Swift

{"title":"Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG","authors":"A. Everspaugh, Yan Zhai, Robert Jellinek, T. Ristenpart, M. Swift","doi":"10.1109/SP.2014.42","DOIUrl":null,"url":null,"abstract":"Virtualized environments are widely thought to cause problems for software-based random number generators (RNGs), due to use of virtual machine (VM) snapshots as well as fewer and believed-to-be lower quality entropy sources. Despite this, we are unaware of any published analysis of the security of critical RNGs when running in VMs. We fill this gap, using measurements of Linux's RNG systems (without the aid of hardware RNGs, the most common use case today) on Xen, VMware, and Amazon EC2. Despite CPU cycle counters providing a significant source of entropy, various deficiencies in the design of the Linux RNG makes its first output vulnerable during VM boots and, more critically, makes it suffer from catastrophic reset vulnerabilities. We show cases in which the RNG will output the exact same sequence of bits each time it is resumed from the same snapshot. This can compromise, for example, cryptographic secrets generated after resumption. We explore legacy-compatible countermeasures, as well as a clean-slate solution. The latter is a new RNG called Whirlwind that provides a simpler, more-secure solution for providing system randomness.","PeriodicalId":196038,"journal":{"name":"2014 IEEE Symposium on Security and Privacy","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2014.42","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 30

Abstract

Virtualized environments are widely thought to cause problems for software-based random number generators (RNGs), due to use of virtual machine (VM) snapshots as well as fewer and believed-to-be lower quality entropy sources. Despite this, we are unaware of any published analysis of the security of critical RNGs when running in VMs. We fill this gap, using measurements of Linux's RNG systems (without the aid of hardware RNGs, the most common use case today) on Xen, VMware, and Amazon EC2. Despite CPU cycle counters providing a significant source of entropy, various deficiencies in the design of the Linux RNG makes its first output vulnerable during VM boots and, more critically, makes it suffer from catastrophic reset vulnerabilities. We show cases in which the RNG will output the exact same sequence of bits each time it is resumed from the same snapshot. This can compromise, for example, cryptographic secrets generated after resumption. We explore legacy-compatible countermeasures, as well as a clean-slate solution. The latter is a new RNG called Whirlwind that provides a simpler, more-secure solution for providing system randomness.

查看原文本刊更多论文

虚拟化Linux中的非随机数和旋风RNG

人们普遍认为虚拟化环境会给基于软件的随机数生成器(rng)带来问题，这是由于使用了虚拟机(VM)快照，以及被认为质量较低的更少的熵源。尽管如此，我们还没有看到任何关于关键rng在vm中运行时安全性的公开分析。我们通过在Xen、VMware和Amazon EC2上测量Linux的RNG系统(没有硬件RNG的帮助，这是当今最常见的用例)来填补这一空白。尽管CPU周期计数器提供了一个重要的熵源，但Linux RNG设计中的各种缺陷使其在VM引导期间的第一个输出容易受到攻击，更重要的是，使其遭受灾难性的重置漏洞。我们展示了RNG每次从相同的快照恢复时将输出完全相同的位序列的情况。例如，这可能危及恢复后生成的加密秘密。我们将探索与遗留兼容的对策，以及一个全新的解决方案。后者是一种名为Whirlwind的新RNG，它为提供系统随机性提供了一种更简单、更安全的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE Symposium on Security and Privacy

自引率

0.00%

发文量