Announcement

Collapse
No announcement yet.

It Turns Out CPU Speculative Execution Can Be Useful For Random Entropy / RNG

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • It Turns Out CPU Speculative Execution Can Be Useful For Random Entropy / RNG

    Phoronix: It Turns Out CPU Speculative Execution Can Be Useful For Random Entropy / RNG

    While CPU speculative execution has caused a lot of frustrations over the past two years due to the likes of the Spectre vulnerabilities, it turns out CPU speculative execution can be exploited to be a viable source of random entropy for random number generators...

    http://www.phoronix.com/scan.php?pag...ec-RNG-Entropy

  • #2
    That's as long as there is some sort of input (e.g. keyboard, mouse or network) that will cause context switches. Otherwise it can be somewhat (theoretically) deterministic.

    Comment


    • #3
      Originally posted by tildearrow View Post
      That's as long as there is some sort of input (e.g. keyboard, mouse or network) that will cause context switches. Otherwise it can be somewhat (theoretically) deterministic.
      It depends on the cpu as well. Some cpu with speculative exeuction do use hardware randomisation to decide what paths to speculative execute.

      Yes some silicon and setups it would be deterministic.

      Comment


      • #4
        This would be very easy to manipulate if you are controlling the majority of the threads.

        Good sources of non-deterministic entropy that almost all systems have: Flash IO timings. IRQ timings. Cross-core cache access timings. DRAM timings when thrashing the cache. Stack data when the IRQs run. GPIO latency timings. SPI bus latency timings. Even highly deterministic platforms with MCU cores like Arm M4 will be able to accumulate entropy from those sources.

        Part of the problem with the current Linux random device performance is that it returns the actual accumulated entropy bits. If instead it accumulated a pool of 64k entropy bits, supplied up to 32k of hash-derived bits, then perturbed the pool with the bits accumulated while supplying that 32kbits (ie flip bits in the 64kbit pool as they come then MD5 stream the block), then there wouldn't be any problems with a shortage of crypto-secure entropy bits, and the CPU cost of those entropy bits wouldn't be quite so insanely high as it is now. And no quantum computer will ever break the unknowable 32kbits of the pool.

        Comment


        • #5
          So it's not a bug. It's a feature!

          Comment


          • #6
            It's so stupid I love it.

            Comment


            • #7
              Originally posted by oiaohm View Post

              It depends on the cpu as well. Some cpu with speculative exeuction do use hardware randomisation to decide what paths to speculative execute.

              Yes some silicon and setups it would be deterministic.
              This is enough for me to tell it's a bad idea that should never be implemented. It's either reliable, or it goes in the trash.

              Comment


              • #8
                Who would have thought that in 2019 random number generation would be such a scarce feature that devs would scavenge for CPU bugs to implement it.

                Comment


                • #9
                  Originally posted by cl333r View Post
                  Who would have thought that in 2019 random number generation would be such a scarce feature that devs would scavenge for CPU bugs to implement it.
                  Imagine calling speculative execution a bug when it's the reason your CPU is not a first gen Intel Atom.

                  Comment


                  • #10
                    If it turns out that the whole "speculative execution as a performance win (with craptastic security issues)" was really "preliminary research into cheap random number generators on modern CPUs", that's gotta be the most expensive "cheap" ever in the history of software and hardware so far.

                    Comment

                    Working...
                    X