[147870] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
daemon@ATHENA.MIT.EDU (Kent Borg)
Mon Oct 28 15:21:31 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 28 Oct 2013 14:42:34 -0400
From: Kent Borg <kentborg@borg.org>
To: John Gilmore <gnu@toad.com>, Theodore Ts'o <tytso@mit.edu>
In-Reply-To: <201310280820.r9S8KwqQ013992@new.toad.com>
Cc: John Kelsey <crypto.jmk@gmail.com>, Jerry Leichter <leichter@lrw.com>,
Cryptography <cryptography@metzdowd.com>, Russ Nelson <nelson@crynwr.com>,
Peter Saint-Andre <stpeter@stpeter.im>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/28/2013 04:20 AM, John Gilmore wrote:
> Could the injected code be sufficiently subtle to detect and store or
> report entropy events like packet timing, without becoming
> sufficiently obvious that the malware's presence is detected on the
> network?
No.
Knowing "packet timing" isn't good enough. It is the interrupt timing
that matters, and even that isn't good enough, at least not in the case
of a fast CPU with a GHz+ system clock: you have to know the value of a
fast counter at the moment that it is sampled as part of servicing the
interrupt.
The clock the attacker needs to know doesn't even exist outside the chip
in question. An attacker needs to infer very precise phase angles here,
or a bit or more of entropy will slip through on that interrupt.
And you expect to measure this via malware running on a cheap printer
plugged into feet of ethernet cable plus an ethernet switch plus more
cabling between it and the computer that gets the interrupt? The
malware might make an estimation of interrupt timing, but it can't get
down to the last LSB of that clock at the moment when the CPU gets
around to reading it.
We are talking not just an off-chip measurement of a signal that doesn't
exist off-chip, we are talking about doing it from outside the box, when
the box isn't trying to cooperate.
Making timing measurments precisely is hard to do in the best possible
and most carefully engineered circumstances.
-kb
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography