[Cryptography] cheap sources of entropy
Sampo Syreeni
decoy at iki.fi
Tue Feb 4 07:33:36 EST 2014
On 2014-02-03, Tom Mitchell wrote:
> (BTW, it's not even clear that those measurements are relevant to
> today's disk drives and adapters.
>
> Bingo... not relevant in the presence of modern SSD and also the built
> in disk buffer prefetch and more tricks of modern disks that minimize
> some or all of the assumptions for spinning media.
I wonder whether scrypt-like tricks can be used to force even a VM to
deliver some of the underlying timing variability into the software.
Okay, you're going to need some rather interesting assumptions, but...
Suppose you can somehow force your working set to be larger than any
reasonable cache. At one point you're bound to spill onto disk, so that
seek latency becomes an issue. If you know what's going to come back
from the disk because you wrote it, but the adversary does not, you can
now verify which writes actually came from disk and which ones didn't.
Thus you just amplified any existing randomness you had a little bit if
you measured the roundtrip time.
You could attack something like that at least by simulating the program
or quantizing the times. Quantization you can combat at least by working
with longer time scales, too: it only rounds out the lower order bits,
but not longer term drift. If you collect that too, at some point you
will have enough randomness to reseed. Simulation/prediction you can
mitigate a little bit by issuing your own probes deterministically so
that they don't leak (all the) state, but full simulation of course
still works. So, can we make at least some simulation strategies
relatively expensive?
A roundtrip even to external cache costs latency, as do context switches
and the like. If you can somehow do something within the CPU which is so
tightly locked into real time that it's below such latencies, yet has
two different outcomes which are deterministic but based on state which
is not immediately observable from the outside, maybe you could derive a
deterministic execution path which is prohibitively expensive to
emulate in real time, at least without custom hardware? My idea goes
something like this:
Do a tight loop which times against the CPU's cycle counter, while
exercising the L1 cache. Find the minimum over a longer time and store
it; you can't go faster than no context switches, TLB misses &c. Now
watch for a single non-minimum, store the cycle counter in a register,
and if the next loop is again minimum time, exit. Now you know
"something" happened in between besides straight execution, which will
have affected the stored counter, and can be used to branch in a manner
which can't be simulated with zero latency. Then compound the trick a
dozen times; suddenly the internal state of the program ought to be such
that it can't be replicated too easily. Now amplify that via the working
set construction above, and repeat.
Nothing's absolutely sure in a VM environment, but as soon as you have
those outside, linearly increasing clocks at your disposal, I'm betting
you can make life pretty miserable for the adversary: what you need to
emulate something like that isn't standard hardware, and when done
right, will in any case lead to such extra latency in the inner, faster
manipulation that when amplified, it'll show. If it doesn't, you can be
reasonably sure the adversary doesn't know the entire state of your
program in time, and then you can amplify that, one bit at a time, via
real randomness like disk turbulence. Then in the future you can do a
quantized rekey, and suddenly you have those 160 bits of real seed
within your state.
Or, so goes the theory/sketch.
--
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
More information about the cryptography
mailing list