Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

Virtualized environments are widely thought to cause problems for software-based random number generators (RNGs), due to use of virtual machine (VM) snapshots as well as fewer and believed-to-be lower quality entropy sources. Despite this, we are unaware of any published analysis of the security of critical RNGs when running in VMs. We fill this gap, using measurements of Linux's RNG systems (without the aid of hardware RNGs, the most common use case today) on Xen, VMware, and Amazon EC2. Despite CPU cycle counters providing a significant source of entropy, various deficiencies in the design of the Linux RNG makes its first output vulnerable during VM boots and, more critically, makes it suffer from catastrophic reset vulnerabilities. We show cases in which the RNG will output the exact same sequence of bits each time it is resumed from the same snapshot. This can compromise, for example, cryptographic secrets generated after resumption. We explore legacy-compatible countermeasures, as well as a clean-slate solution. The latter is a new RNG called Whirlwind that provides a simpler, more-secure solution for providing system randomness.

[1]  Hovav Shacham,et al.  Welcome to the Entropics: Boot-Time Entropy in Embedded Devices , 2013, 2013 IEEE Symposium on Security and Privacy.

[2]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[3]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[4]  M. Stephens Use of the Kolmogorov-Smirnov, Cramer-Von Mises and Related Statistics without Extensive Tables , 1970 .

[5]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[7]  Marie D. Manner,et al.  Randomness Exposed – An Attack on Hosted Virtual Machines , 2011 .

[8]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[9]  T. J. Walls,et al.  How we Learned to Cheat in Online Poker: A Study in Software Security , 1999 .

[10]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[11]  Robert S. Winternitz A Secure One-Way Hash Function Built from DES , 1984, 1984 IEEE Symposium on Security and Privacy.

[12]  Benny Pinkas,et al.  Cryptanalysis of the random number generator of the Windows operating system , 2009, TSEC.

[13]  Cédric Lauradoux,et al.  Entropy transfers in the Linux Random Number Generator , 2012 .

[14]  Yu Chen,et al.  A Study of Entropy Sources in Cloud Computers: Random Number Generation on Cloud Hosts , 2012, MMM-ACNS.

[15]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[16]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[17]  Nicholas Mc Guire,et al.  Analysis of Inherent Randomness of the Linux kernel , 2009 .

[18]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.

[19]  Patrick Lacharme,et al.  The Linux Pseudorandom Number Generator Revisited , 2012, IACR Cryptol. ePrint Arch..

[20]  Dong Hoon Lee,et al.  Predictability of Android OpenSSL's pseudo random number generator , 2013, CCS.

[21]  James T. Curran,et al.  Fortuna: Cryptographically Secure Pseudo-Random Number Generation In Software And Hardware , 2006 .

[22]  Stephan. Mueller CPU Time Jitter Based Non-Physical True Random Number Generator , 2014 .

[23]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[24]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[25]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .