Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

Everspaugh, Adam; Zhai, Yu; Jellinek, Robert; Ristenpart, Thomas; Swift, Michael M.

doi:10.1109/sp.2014.42

Cited by 26 publications

(11 citation statements)

References 13 publications

(31 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our initiator client offered a set of cipher suites chosen from the most commonly supported options observed by Adrian et al [3]. 17 We tested this packet on the default configuration of our vulnerable NetScreen device to verify that it was accepted.…”

Section: Counting Screenos Devicesmentioning

confidence: 99%

See 1 more Smart Citation

A Systematic Analysis of the Juniper Dual EC Incident

Checkoway

Maskiewicz

Garman

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen VPN routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator.In this paper, we describe the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point. This vulnerability arises due to apparent flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. We investigate the possibility of passively fingerprinting ScreenOS implementations in the wild. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice.

show abstract

Section: Counting Screenos Devicesmentioning

confidence: 99%

“…As new use cases arose, the security desiderata have been revised and expanded. For example, Ristenpart and Yilek analyzed application-level randomness reuse in virtual machines whose state is reset and rolled back [38], and Everspaugh et al [17] extended the analysis to kernel-level randomness.…”

Section: Related Workmentioning

confidence: 99%

A Systematic Analysis of the Juniper Dual EC Incident

Checkoway

Maskiewicz

Garman

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Realistic initialization: Relatedly, the current PWI formalism cannot model setup procedures, such as those used by the ISK-RNG. Addressing this shortcoming is particularly important since weak initialization has led to attacks on real-world PWIs [9,6]; security definitions should expose these vulnerabilities.…”

Section: Improvements To the Pwi Modelmentioning

confidence: 99%

A Provable-Security Analysis of Intel’s Secure Key RNG

Shrimpton

Terashima

2015

Advances in Cryptology -- EUROCRYPT 2015

View full text Add to dashboard Cite

Abstract. We provide the first provable-security analysis of the Intel Secure Key hardware RNG (ISK-RNG), versions of which have appeared in Intel processors since late 2011. To model the ISK-RNG, we generalize the PRNG-with-inputs primitive, introduced by Dodis et al. at CCS'13 for their /dev/[u]random analysis. The concrete security bounds we uncover tell a mixed story. We find that ISK-RNG lacks backward-security altogether, and that the forward-security bound for the "truly random" bits fetched by the RDSEED instruction is potentially worrisome. On the other hand, we are able to prove stronger forward-security bounds for the pseudorandom bits fetched by the RDRAND instruction. En route to these results, our main technical efforts focus on the way in which ISK-RNG employs CBCMAC as an entropy extractor.

show abstract

“…The variety of seed values created in this way satisfies the security requirements of the initialization process as described by the National Institute of Standards and Technology (NIST) [2]. The security of entropy sources is a research topic in the areas of operating system virtualization and cloud services [4]- [10]. However, with respect to the design of deterministic random generators as microelectronic systems, this problem has not been sufficiently studied in the literature.…”

Section: Introductionmentioning

confidence: 99%

Trojan Attack on the Initialization of Pseudo-Random Bit Generators Using Synchronization of Chaotic Input Sources

Melosik

Marszałek²

2021

IEEE Access

View full text Add to dashboard Cite

An initialization input attack on a set of two pseudo-random generators using analog-digital hardware Trojan is presented in this paper. Trojan circuit implementations are discussed following their full classification. Simulation results confirming the effectiveness of the Trojan impact on a repetition of identical seed values are analyzed. Trojan structure is integrated with the deterministic random bit generator functional model recommended by NIST and the task is to impact two seed generators (in two channels), which use the independent Chua circuits as the sources of entropy. The analog Trojan part causes synchronization of the two analog chaotic circuits as explained by the results of LTSpice simulation. The digital Trojan part controls the analog part and modifies the values of optional parameters used in the creation of the seeds. The seed value creation in two cases (with and without Trojan) are simulated by using Xilinx ISIM.

show abstract

Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

Cited by 26 publications

References 13 publications

A Systematic Analysis of the Juniper Dual EC Incident

A Systematic Analysis of the Juniper Dual EC Incident

A Provable-Security Analysis of Intel’s Secure Key RNG

Trojan Attack on the Initialization of Pseudo-Random Bit Generators Using Synchronization of Chaotic Input Sources

Contact Info

Product

Resources

About