Does it read entropy from /dev/urandom to protect hash table against "Algorithmic Complexity Attacks"? Is getrandom(2) the solution? Or init API that receives entropy from caller?
This Tweet was deleted by the Tweet author. Learn more
Conversation
On Linux, getrandom is always the right approach. The /dev/urandom and /dev/random APIs are obsolescent. They aren't always available since they require access to a populated /dev, there's the dynamic failure case from using dynamic allocation (of files) and the early init bug.
1
The maintainers should fix the early init security bug in /dev/urandom, but they aren't yet willing to do it based on the lackluster kernel entropy generation combined with broad deployment of broken environments not providing entropy such as poor virtual machine implementations.
2
To save you some trouble: We're primarily talking about Linux systems where getrandom syscall returns ENOSYS or where there is no such syscall and there getentropy and friends all open /dev/urandom.
2
The right approach to take when there's not supposed to be a failure case and there's no secure alternatives is to abort. The getrandom system call was introduced in 2014 with the release of Linux 3.17. I doubt the systems you're talking about receive meaningful security updates.
1
Preaching to the choir. But, people still ask for Android O support and somebody from Google shared some info with me about the significance of Android O deployment. Last I looked some Enterprise Linux LTS stuff still doesn't have it either.
1
Minimum kernel version for Android O is specified to be 3.18 even for devices that were only upgraded to Android O. Linux 3.18 is also the oldest supported LTS branch for the Android common kernel and by the downstream SoC vendors. If it's older, it's going to be insecure anyway.
2
Devices launched with Oreo needed to have at least Linux 4.4. The 3.18 requirement was for older devices. If the kernel version is older, it's not Android, because that's part of the Compatibility Definition Document defining what Android means. I think it's a simple decision.
1
The choice is whether you want to support insecure environments without proper security updates, and if you do, it's hard to see why you would be worried about hash DoS. If you want a fallback, then use AT_RANDOM, which is usually more than good enough for mitigating hash DoS.
1
A correction for the earlier minimum version requirement for others finding the thread: twitter.com/DanielMicay/st. What I said about lack of security updates does apply though. Linux 3.18 is the oldest supported branch by the Android common kernel and in practice also SoC vendors.
Quote Tweet
Replying to @BRIAN_____ and @ZTarantov
That's true and also applies to the Nexus 5X and 6P. None of the Nexus devices have security updates anymore though. I was remembering the specific requirement incorrectly. Oldest version supported by Treble is 3.18 and Treble was optional for devices upgraded to Android Oreo.