Re: use of RDRAND in $random_library
On 6/13/14, Theodore Ts'o <email@example.com> wrote:
> On Fri, Jun 13, 2014 at 06:51:44PM +0000, Jacob Appelbaum wrote:
>> I would expect that if the NSA wanted to take control of the RDRAND or
>> the rest of the CPU, they'd dynamically update the microcode in the
>> CPU to change how it behaves. To do this, it appears that they'd need
>> to sign a microcode and then apply an update.....
> The Intel CPU doesn't support a persistent microcode update. A
> microcode update has to be uploaded after each power cycle.
I'm aware and happy about that fact. However, I have a few concerns
that come from a different core assumption: we know nothing about the
microcode updates that are applied at boot on many systems.
What do we know about the microcode updates that are shipping in
various operating systems? I think very little. Ben's research is
pretty fantastic for this reason.
> means that a microcode hack would require that you break root first.
I agree that a microcode insertion requires root but I'm not sure that
an attacker must always be the one to insert it. Microcode seems like
a perfect trojan horse and I am very suspect of it.
> And if you can break root, you can just bugger the kernel or one or
> more the userspace binaries. That's going to be as detectable as
> leaving an extra firmware file in /lib/firmware/intel-ucode.
It would be interesting to allow microcode updates at boot only and to
signal the kernel that no more are expected. That may change how such
an update could be applied. I'm unsure if it would matter as you
correctly state. Lots to do!
> I've long considered that there are so many zero-day exploits that if
> the NSA decides to carry out a focused attack on a single machine, or
> machines belonging to a single person, there is a very high
> probability they can do whatever they want. And this isn't a new
> problems; even before the days of computers things like "black bag jobs"
> were always a thing.
Of course, though they have certain advantages and we can ensure that
there is a level playing field for all attackers.
> So I'm personally much more concerned about bulk surveillance, whether
> it involves passive surveillance using fiber taps, or trojans
> introduced into distribution-provided binaries. Other people may have
> their own personal sense of paranoia, but that's mine. I happen to
> think mine corresponds more with reality, but I'm sure Keith Alexander
> and James Clapper would try to claim that I should be wearing tin foil
> hats or something. :-)
I think paranoia isn't the right term, your rationale is grounded
squarely in reality. :-)
All the best,