From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 86293 invoked by alias); 30 Sep 2017 06:22:43 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 86282 invoked by uid 89); 30 Sep 2017 06:22:42 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=secrets, stuck, RNG, H*M:26d5 X-HELO: mx1.redhat.com DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com CD0CC81DE7 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com Subject: Re: arc4random To: Zack Weinberg Cc: Joseph Myers , GNU C Library References: From: Florian Weimer Message-ID: Date: Sat, 30 Sep 2017 06:22:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2017-09/txt/msg01172.txt.bz2 On 09/30/2017 01:58 AM, Zack Weinberg wrote: >> I think I found a way to do full fork protection even without >> MADV_WIPEONFORK, using a global counter in a MAP_SHARED segment. Reseeding >> is still needed to deal with a counter overflow on 32-bit architectures, and >> there is some overhead by the globally shared counter, but I think it is >> superior to all approaches I've seen so far (and it does not require a fork >> handler or a system call for every random number generation). > > Is the idea that after a fork, processes may share RNG state but they > see each others' counter increments so they won't return the same > random bits from paired calls? Kind of like how it would work for > multiple threads with a shared but atomically accessed RNG state? Exactly. There's also a per-thread cache of an output block from the underlying DRBG, but without MADV_WIPEONFORK, that's invalidated if arc4random is called from multiple threads (because the global counter does not match the expected value anymore). But at least it's not necessary to acquire a lock around the actual cryptographic operation. But all this is only possible for 64-bit atomics. If those are not available, I'm not sure what we can do. The initial implementation will have a 32-bit counter in the shared page and a lock (not shared across processes) which is acquired around the entire arc4random operation. If the 32-bit counter overflows, we need to replace the page with the global state with a new one (using MAP_FIXED) and reinitialize the secrets. I don't think we can use any of the usual techniques for building a >32-bit counter from two 32-bit values because they rely on flag bits and waiting, but the other process can die at any time, and a waiting operation would get stuck at that point. Thanks, Florian