[Cryptography] RNG exploits are stealthy

John Gilmore gnu at toad.com
Fri Feb 7 18:18:49 EST 2014


> > So, if an attacker running malware in a hypervisor (or SMM) knew you
> > were depending on disk drive timings for the random numbers that
> > create your encryption keys, how easily could they attack you by
> > rigidizing those interrupt timings, e.g. delaying your virtual machine
> > interrupts at to the next even 1/60th of a second?
> 
> Maybe this is just my lack of understanding coming out, but I'm having a hard time seeing how any crypto code is going to remain secure if the hypervisor controlling the VM it's running on is under an attacker's control.  

Because this attack is stealthy.  Rigidized interrupt timing is
invisible to the users, invisible to the sysadmin, barely visible to
the running OS, and not specific to the OS running under the VM or
SMM.  It generates no Internet traffic -- at all.  It works with each
new operating system release.  Yet it could allow a remote attacker
halfway across the net -- like NSA -- do a successful brute-force
search for keys generated from that interrupt timing.

Such a stealth exploit could survive for a long time, deployed on
millions or billions of machines, without ever being detected for what
it is: an attack on a random number generator.

It's the sort of thing I'd expect NSA to be doing, particularly when
they want it to "not be attributable to NSA" when eventually discovered.

On the other hand, code in a VM hypervisor or SMM BIOS that extracts
crypto keys from an OS would have to report those keys to its eeevil
masters somehow.  And even if clever programmers manage to write code
that doesn't need to know the internals of the guest OS, by
e.g. "looking for DRAM containing high entropy", then encrypting
that and sneaking it out in spare bytes of existing packets, anyone
who later discovers that code will have a pretty good idea what it
is doing and who it is doing it for.

	John



More information about the cryptography mailing list