| 1 |
On 09/18/2012 06:27 PM, Walter Stanish wrote: |
| 2 |
> Hi there, |
| 3 |
> |
| 4 |
> This is a bit general, rather than a specific suggestion, since I |
| 5 |
> don't think I can make tomorrow's meeting maybe people might like to |
| 6 |
> discuss it there. |
| 7 |
> |
| 8 |
> Reading the more recent OpenSSL man page it occurred to me that there |
| 9 |
> may be a potential with some types of daemons (such as recent OpenSSL |
| 10 |
> run with the 2.x default of --key-method 2) to facilitate remote |
| 11 |
> system entropy exhaustion as a type of DoS. |
| 12 |
> |
| 13 |
> I am aware of entropy gathering daemons but none so much for entropy |
| 14 |
> as an input to overall system management (connection throttling, |
| 15 |
> control group freezing, etc.). |
| 16 |
> |
| 17 |
> Has there been any attempt to integrate system entropy management with |
| 18 |
> any major Linux distribution? |
| 19 |
> Has Gentoo hardened looked at entropy impact of various packages? |
| 20 |
> |
| 21 |
> I think there could be some research potential here. |
| 22 |
> |
| 23 |
> The first step might be to establish suitably automated mechanisms for |
| 24 |
> formal testing of package / package revision entropy impact under |
| 25 |
> various test loads, with a view towards enhancing the visibility and |
| 26 |
> ease of entropy management across hardened gentoo systems. |
| 27 |
> - I'm not sure if there is an automated test suite set up within the |
| 28 |
> Gentoo infrastructure at present, though some packages have built-in |
| 29 |
> tests, and some packages have a USE flag to enable/disable these, it |
| 30 |
> seems difficult to re-run these tests after packages are emerged. |
| 31 |
> - There are also more general testing tools such as the Apache |
| 32 |
> Project's 'ab' and 'bonnie++' that could be used for some types of |
| 33 |
> packages. |
| 34 |
> |
| 35 |
> Whilst it is easily possible to monitor entropy over time (eg: using |
| 36 |
> rrdtool configured to source data from |
| 37 |
> /proc/sys/kernel/random/entropy_avail) I have never heard of any |
| 38 |
> attempt to monitor this availability over time and integrate it in to |
| 39 |
> system management. I have however heard of problems with relatively |
| 40 |
> commonly deployed daemons (I forget which now, but not so long ago it |
| 41 |
> happened to me too) wherein entropy exhaustion causes a complete |
| 42 |
> functional DoS for a process blocking for unavailable entropy. |
| 43 |
> |
| 44 |
> Perhaps a new control group implementation for maximum entropy draw |
| 45 |
> rate per namespace might also be a useful contribution to the kernel? |
| 46 |
> |
| 47 |
> I suppose this sort of thing is tending to increase in importance as |
| 48 |
> the density of services per physical system increases under the |
| 49 |
> continuing trend towards high density virtual hosting (either |
| 50 |
> container based or paravirtualized). |
| 51 |
> |
| 52 |
> First post here ... hope I'm not completely off track with this, just |
| 53 |
> throwing the idea out there. |
| 54 |
> |
| 55 |
> Cheers, |
| 56 |
> Walter |
| 57 |
> |
| 58 |
|
| 59 |
Like you said, there are some entropy gathering daemons (I use em in |
| 60 |
VMs), so that's a good place to start I think. After that, I would |
| 61 |
probably go with some hardware rng solution if you determine this to be |
| 62 |
that much of a risk. |
| 63 |
|
| 64 |
Since you can keep http connections open for long periods of time with |
| 65 |
HTTP/1.1 that can also be used to help mitigate some exhaustion (rate |
| 66 |
limit people). In fact, rate limiting in general is probably good. |
| 67 |
|
| 68 |
-- |
| 69 |
-- Matthew Thode (prometheanfire) |
Archives