kern.randompid: Random PID modulus

Miroslav Lachman 000.fbsd at quip.cz
Wed Aug 16 21:17:29 CEST 2017


Dan Lukes wrote on 2016/10/06 17:31:
> On 6.10.2016 17:01, Miroslav Lachman wrote:

>>>> Ma tedy ta randomizace nejaky smysl, nebo je to zbytecne?
>>> Ano ;-)

> Ano, ta randomizace ma smysl, nebo je to zbytecna.

Je to sice uz skoro rok, ale kdyz jsem dneska narazil na tenhle clanek, 
tak jsem si vzpomnel, ze jsme to tu loni resili:

https://www.whitewinterwolf.com/posts/2015/05/23/do-randomized-pids-bring-more-security/


Kdyz jsem o tom loni uvazoval, tak me vubec nenapadlo, ze muze existovat 
pripad, kdy random PID naopak muze zpusobit problemy a to jeste 
zneuzitelne na dalku:

This flaw relies on the fact that a hello cookie created by the server 
is generated using the current Unix timestamp (so up to the second) and 
the PID of the process handling the request. The exploit sends a high 
number of connection attempts in order to force the server to generate 
duplicated cookies. At the end this attacks aims to deduce the server 
private keys.

The author explains that such attack is not realizable on systems using 
traditionnal sequential PID because it would require more than 65000 
connections attempts to made in less than one second.

However, thanks to random PIDs used on some “hardened” systems the 
author demonstrates that, with 20 connection attempts per seconds, there 
is statistically more than one chance over two to generate a duplicate 
in less than 5 minutes.

Mirek


More information about the Users-l mailing list