From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 16:45:15 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 847B810656D4; Thu, 6 Sep 2012 16:45:15 +0000 (UTC) Date: Thu, 6 Sep 2012 09:45:14 -0700 From: David O'Brien To: Doug Barton Message-ID: <20120906164514.GA14757@dragon.NUXI.org> References: <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> <20120904220126.GA85339@dragon.NUXI.org> <50468326.8070009@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50468326.8070009@FreeBSD.org> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Arthur Mesh , freebsd-security@FreeBSD.org, freebsd-rc@FreeBSD.org, Mark Murray Subject: Re: svn commit: r239598 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 16:45:15 -0000 On Tue, Sep 04, 2012 at 03:39:34PM -0700, Doug Barton wrote: > Regarding your changes in r240108: > > 1. Adding kenv to the mix is probably a good idea, however the output of > the ps command won't be the same both times it is run, which is why it > was in there twice. Doug, Have you actually looked at the 'ps' output from the two runs from within 'initrandom'? I have. On my test system I got 1608 bytes of output on 24 well structured lines. The two runs differed so little (only 5 lines) about all you could claim is might add 1 bit of entropy. But the search space to find the differences given the first run is so minimal I don't see that it adds any real value. You should be suggesting totally different commands to run that will provide better than a second run of 'ps'. > I'll have to give the kenv output a look. I would > also like to confirm that it's available on all platforms. Geez, I'm not that stupid. Do you see any guards within bin/Makefile that only build it for for some architectures? I verified we have it on MIPS, ARM, and PowerPC and gives some output. It does not give as much system-specific output as on x86 -- I wish it did, but the output can be rather unique on x86 it is worth including it. > 2. I'm not sure I like the change from cat'ing /bin/ls to the hash of > the kern.bootfile output. Given that most users stick with the GENERIC > kernel or the same custom kernel on multiple machines I'm not confident > that there will be a statistically significant difference in the amount > entropy between the 2, Vs /bin/ls? We have a chapter in the handbook on building your own kernel [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html]. Do we have a chapter on building a custom /bin/ls? A kernel build is a combination of 946 knobs. /bin/ls has 1, leading to two different results. So you really think there is more chance that /bin/ls will vary between two installations of the same version of FreeBSD? You don't believe most users use the same /bin/ls across multiple machines? > 3. Given that we're running the same set of commands at each boot, it's > not clear to me how changing the order helps, but I don't necessarily > disagree with that change. It's the same point that Ian Lepore made about variance. Also http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix98.pdf page 9. [usenix98.pdf is one of the yarrow paper's references] > Thanks. In case it's not clear, please hold off on any further changes > until we have a better consensus on what the changes should be. The commit was 15 days ago, and its been 4 days since you started this thread. At this point you're the only one that has spoken up against the changes. Arthur and I have provided you our reasoning. I've provided references, pointed out the code, discussed my changes and reasoning with multiple security professionals at $WORK where we make products based on FreeBSD and have FIPS-140 Level 2 certificates[*]. I will only wait but so much longer before I feel there is near-unanimous consensus. -- -- David (obrien@FreeBSD.org) [*] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm