Better fork protection for random bytes

[daurnimator]

static void randL_checkpid(struct randL_state *st) {
    if (st->pid != getpid())
        (void)randL_stir(st, 16);
} /* randL_checkpid() */

^^ This code is currently used to ensure that a forked process will generate different random numbers.

A determined attacker could use pid overflow/wrapping to get the same random number generated more than once.

Related links:

• https://wiki.openssl.org/index.php/Random_fork-safety
• https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
• https://news.ycombinator.com/item?id=8034273 (linked from above)

[daurnimator]

On linux, I wonder if the process specific keyring (see keys.txt) could help...

[wahern]

On Thu, May 28, 2015 at 06:36:37PM -0700, daurnimator wrote:

On linux, I wonder if the process specific keyring (see keys.txt) could help...

pthread_atfork can be used as the baseline.

The key ring capability looks useful. There are no glibc bindings so would need to use syscall.

OpenBSD has a cleaner feature: minherit + MAP_INHERIT_ZERO. Whenever a fork occurs the specificed pages are automatically zeroed out. They added the flag for use in their arc4random implementation.

[daurnimator]

The key ring capability looks useful. There are no glibc bindings so would need to use syscall.

I created a POC: https://gist.github.com/daurnimator/dfdbaef3c255bdc11531 and a blog post to accompany

The functions are in keyutils.h, you don't need to use the syscall directly