[Cryptography] RNG exploits are stealthy

Jerry Leichter leichter at lrw.com
Fri Feb 14 19:58:04 EST 2014 

On Feb 14, 2014, at 4:52 PM, Philipp Gühring <pg at futureware.at> wrote:

> Hi,
> 
>> Because this attack is stealthy.  Rigidized interrupt timing is
>> invisible to the users, invisible to the sysadmin, barely visible to
>> the running OS, and not specific to the OS running under the VM or
>> SMM.  It generates no Internet traffic -- at all.  It works with each
>> new operating system release.  Yet it could allow a remote attacker
>> halfway across the net -- like NSA -- do a successful brute-force
>> search for keys generated from that interrupt timing.
> 
> One of the candidates for this kind of attack I stumbled across lately is
> rigidized interrupt handling with the potential cover-up to "save battery
> power"....  [S]ome people actually developed interrupt rigidizing beasts:
> 
> http://www.researchgate.net/publication/235679705_Improving_Energy_Efficiency_for_Mobile_Platforms_by_Exploiting_Low-power_Sleep_States/file/32bfe512808a1e1f23.pdf
It's not just theory.  Mac OS actually plays this game, starting with Mavericks.    There's a quick overview at http://www.apple.com/osx/advanced-technologies/ - see the "timer coalescing" section.  Much more complete descriptions of the technology have appeared, but I don't have a handy link.

Mavericks uses a number of other strategies, at least some of which might similarly have unexpected effects on programs that think they know how scheduling and such are implemented.  The overall effect is significant, according to reports from people who see noticeably long battery life when running Mavericks - so expect to see these ideas implemented elsewhere.  As in my message about assuming that details of hardware implementation (and particularly side-effects of hardware implementation) will stay constant over time ... the same applies to OS implementation (and, more generally, to any software). 
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140214/16bef5b9/attachment.bin>

More information about the cryptography mailing list