kern.randompid: Random PID modulus
Miroslav Lachman
000.fbsd at quip.cz
Wed Aug 16 21:17:29 CEST 2017
Dan Lukes wrote on 2016/10/06 17:31:
> On 6.10.2016 17:01, Miroslav Lachman wrote:
>>>> Ma tedy ta randomizace nejaky smysl, nebo je to zbytecne?
>>> Ano ;-)
> Ano, ta randomizace ma smysl, nebo je to zbytecna.
Je to sice uz skoro rok, ale kdyz jsem dneska narazil na tenhle clanek,
tak jsem si vzpomnel, ze jsme to tu loni resili:
https://www.whitewinterwolf.com/posts/2015/05/23/do-randomized-pids-bring-more-security/
Kdyz jsem o tom loni uvazoval, tak me vubec nenapadlo, ze muze existovat
pripad, kdy random PID naopak muze zpusobit problemy a to jeste
zneuzitelne na dalku:
This flaw relies on the fact that a hello cookie created by the server
is generated using the current Unix timestamp (so up to the second) and
the PID of the process handling the request. The exploit sends a high
number of connection attempts in order to force the server to generate
duplicated cookies. At the end this attacks aims to deduce the server
private keys.
The author explains that such attack is not realizable on systems using
traditionnal sequential PID because it would require more than 65000
connections attempts to made in less than one second.
However, thanks to random PIDs used on some hardened systems the
author demonstrates that, with 20 connection attempts per seconds, there
is statistically more than one chance over two to generate a duplicate
in less than 5 minutes.
Mirek
More information about the Users-l
mailing list