In brief [LWN.net]

By Jonathan Corbet
May 20, 2009

get_random_int() for address space layout randomization was examined on last week's Security page, but, since then, some additional ideas have been discussed. Performance was the main reason to stick with the partial MD4 hash that is in the current code, but other possibilities are being considered. Eric Biederman noted that using a stream cipher such as AES might produce high-quality randomness without the performance penalty, but Matt Mackall didn't agree: "It's also unclear that encrypting small blocks with software AES is actually a performance win relative to SHA1, once you look at the key scheduling overhead and the cache footprint of its s-boxes."

Willy Tarreau pointed out that hash functions used to produce the random numbers actually generate far more data than is currently used. Storing the output of half_md4_transform() (or that of a different implementation using the much stronger SHA1 hash) and returning 4-byte chunks from the full—128 or 160 bit—hash value for each call would perform much better. But, Linus Torvalds is concerned that giving out more of the hash value could lead to easier attacks: "I personally suspect that it would be _much_ easier to attack the hash if we actually gave out the whole 16 bytes (over several iteration), when compared to what we do now (only give out a small part and then re-hash)." No patches emerged from the discussion, but no one is completely happy with the current implementation, so that could change at some point.

OOM by any other name. The out-of-memory (OOM) killer has often been featured on this page. But Christoph Lameter raised a previously unseen complaint about OOM in a recent discussion:

While we are at it: Could we get rid of the name "Out of Memory" and stop printing texts to that effect? What we call an OOM is a failure to perform memory reclaim or we are running out of reserves due to not being able to run reclaim. Mostly this is due to OS internal issues having nothing to do actual amounts of memory available.

Christoph says that users are tempted to add more memory in response to OOM situations, while the real fix is often to be found elsewhere - fixing the application which is locking down the bulk of RAM, for example. There was some discussion of changing the OOM messages to read something like "Unable to satisfy memory allocation request and not making progress reclaiming from other sources," but nothing has been merged at this point.

Tracepoints leave a trace: one of the key design criteria for kernel tracepoints is that their impact must be minimal when they are not being used. So Jason Baron was surprised to find out that, with the current tracepoint implementation, arguments to tracepoints are being evaluated before the determination of whether the tracepoint is active. In response, he prepared a patch to prevent the evaluation of arguments for inactive tracepoints. The patch works, but at a cost: it requires a change to the internal tracepoint API.

There is resistance to the API change, mostly because the people involved seem to think that the new version is uglier and that the problem is really a bug in GCC. It may prove hard to avoid, though; even if GCC is fixed soon, older versions will be out there for a long time. Minimizing overhead is seen as more important than API beauty, so, unless somebody comes up with a clever workaround, there may be no avoiding an unwanted tracepoint change.

Union mounts: there is a new set of union mount patches out there for evaluation, along with the necessary user-space tools. Valerie Aurora has put together a howto page for those who would like to experiment with this code. See this LWN article (also by Valerie) for information on the implementation of union mounts.

(Log in to post comments)

In brief

Posted May 21, 2009 14:05 UTC (Thu) by corbet (editor, #1) [Link]

I don't think anybody said anything about turning LWN into KT. The content that made the kernel page what it is will not be going anywhere. "In brief" is a way to point out interesting stuff which has not (yet) been turned into a full article. It gets done late in the process, once the "real" stuff has been written. That's why it will probably not appear every week; it's meant to not detract from the more in-depth material.

In brief

Posted May 21, 2009 14:52 UTC (Thu) by ikm (subscriber, #493) [Link]

If it's not meant to detract from the usual featured material, it should be located after it, not before. Right now it has taken the place which was usually occupied by in-depth stuff, which makes it feel like it's a new replacement for it.

In brief

Posted May 21, 2009 21:22 UTC (Thu) by nix (subscriber, #2304) [Link]

It certainly didn't detract this week: the kernel page was as good as I
can ever remember it being.

Every project should have a Corbet.

In brief

Posted May 21, 2009 21:22 UTC (Thu) by jschrod (subscriber, #1646) [Link]

As a non-reader of lkml, I find this section very interesting to get a glimpse of stuff that is currently under discussion. As long as it is as short as this, I think it's a great addition to LWN.

Just my 0.02 EUR,

Joachim

In brief

Posted May 22, 2009 1:58 UTC (Fri) by a9db0 (subscriber, #2181) [Link]

I'll second that, and toss in $.02.

Dave

In brief

Posted May 27, 2009 13:38 UTC (Wed) by ejr (subscriber, #51652) [Link]

Actually, "In Brief" goaded me into subscribing finally. So I up your 2 cents...

In brief

Posted May 29, 2009 18:22 UTC (Fri) by johnflux (subscriber, #58833) [Link]

Heh, I also subscribed just a few days.

In brief

Posted May 22, 2009 6:11 UTC (Fri) by PaulWay (✭ supporter ✭, #45600) [Link]

I for one love this new 'in brief' section - keep it up, Jon!

In brief

Posted May 21, 2009 13:57 UTC (Thu) by zooko (subscriber, #2589) [Link]

"I personally suspect that it would be _much_ easier to attack the hash if we actually gave out the whole 16 bytes (over several iteration), when compared to what we do now (only give out a small part and then re-hash)."

Argh! This is the kind of ill-informed ad-hockery that makes cryptographers sad. Why are the Linux hackers screwing about with this? Secure pseudo-random number generators are a well-understood construct, and on a modern amd64 architecture they should run in about 5 cycles per byte. (On an ARM XScale, maybe 10 to 15 cycles per byte.) For that matter, why isn't the /dev/urandom CPRNG already sufficient for this purpose?

In brief

Posted May 21, 2009 14:31 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

if you have an algorithm that generates data at a cost of 5 cycles/byte, post it.

the kernel list is talking about costs on the order of thousands of cycles, that's what they are trying to avoid

In brief

Posted May 21, 2009 15:26 UTC (Thu) by zooko (subscriber, #2589) [Link]

The number I gave were for the underlying security primitive (either a secure hash function or a cipher). Here are a bunch of measurements of those:

http://bench.cr.yp.to/results-hash.html
http://bench.cr.yp.to/results-stream.html

They range from as little as 3 cycles per byte (cpb) (on the powerful amd64 architectures) to 16 cpb (on older or more limited 32-bit architectures such as ARM), for "processing large messages", which means rekeying rarely. A good CPRNG such as Fortuna (http://www.amazon.com/Practical-Cryptography-Niels-Fergus... ) rekeys rarely, and runs at about the same rate as the underlying primitive, because it was designed by good cryptographers (in this case Niels Ferguson and Bruce Schneier) who know that performance is important, and who have spent a lifetime studying how to provide performance without endangering security.

There may be overhead that I'm not familiar with involving locking, copy-in-copy-out, or something. My assumption is that the linux CPRNG is of poor performance and uncertain security because it is a ad-hoc brew designed and maintained by kernel hackers instead of by cryptographers.

I'm assuming that the reason the kernel hackers is having this conversation about how to invent a new ad-hoc mechanism of uncertain security (for get_random_int()) is because the current ad-hoc mechanism is too slow.

See also the fate of Jean-Luc Cooke's patch to convert the core CPRNG to Fortuna:

http://mail.nl.linux.org/linux-crypto/2006-03/msg00005.html

Regards,

Zooko

In brief

Posted May 21, 2009 16:55 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

the entire reason for the 'ad-hoc' method is that the one deemed 'good enough' by the crypto experts is _far_ too slow.

it may be that the people who are claiming to be crypto experts and providing the advice to the kernel team don't know what they are doing, but it's not as simple as 'the kernel programmers are trying to be crypto experts and failing'

if /dev/urandom was fast enough there would be no reason to have something faster at the expense of it being weaker.

Eager Evaluation in C

Posted May 23, 2009 14:49 UTC (Sat) by nevets (subscriber, #11875) [Link]

The issue is not the arguments per say, but the fact that they are in an "unlikely" and the arguments are processed outside the unlikely. We have:

if (unlikely(traceme)) {
tracefunc(arg1,arg2,arg3);
}

But GCC is wasting time setting up the args even though we specifically specified that the function may never be called.

Eager Evaluation in C

Posted May 23, 2009 15:56 UTC (Sat) by dicej (guest, #36115) [Link]

That makes sense. However, the example Jason gave [1] is different:

static inline void trace(arg1, arg2)
{
if (unlikely(enabled)) {
<use the arguments>
}
}

He says, "If i call 'trace(ptr->arg1, ptr->arg2)', then the pointers are dereferenced before the 'if' is executed." I guess his point is that, in this case, the compiler should be able to prove that delaying the evaluation of the arguments will not change the behavior of the program, which is reasonable. In general, though, argument evaluation might have side effects and/or be influenced by side effects in the called function -- cases which whould force the compiler to evaluate eagerly.

[1] http://gcc.gnu.org/ml/gcc/2009-05/msg00504.html