[PATCH] Adding diversity for security

Stephen Crane sjcrane at uci.edu
Fri Oct 11 10:44:57 PDT 2013 


================
Comment at: tools/opt/opt.cpp:600-609
@@ -597,2 +599,12 @@
 
+  // Seed the RNG
+  std::string SeedData;
+  // If entropy already set (for predictable testing), ignore
+  if (RandomNumberGenerator::EntropyData.empty()) {
+    for (int i = 0; i < argc; ++i) {
+      SeedData += argv[i];
+    }
+    RandomNumberGenerator::EntropyData = SeedData;
+  }
+
   if (AnalyzeOnly && NoOutput) {
----------------
Tom Roeder wrote:
> I think something similar to this will have to be added to llvm-lto to support nop code generation there, too. Maybe instead of repeating the same snippet everywhere, you could make this a function in RandomNumberGenerator. Something like AddSeedData?
I've added a function, but also removed this setting everywhere but clang. This "EntropyData" (now called more correctly SaltData) is only needed during a larger build so that every compilation can use the same seed, but still result in a different random stream. Clang now sets this SaltData based on input filenames, to make each invocation unique.

================
Comment at: lib/Support/RandomNumberGenerator.cpp:153-154
@@ +152,4 @@
+    unsigned char Output[AES_BLOCK_SIZE];
+    AES_ctr128_encrypt(Plaintext, Output, AES_BLOCK_SIZE, &AESKey, IV,
+                       EcountBuffer, &Num);
+
----------------
Tom Roeder wrote:
> See the description of the CTR_DRBG algorithm on page 58-59 of NIST SP 800-90A: the randomness generation process also needs to call an update function to change the secret state, including the key, each time. This is step 6 of CTR_DRBG Generate Process.
> 
> Also, it looks like there is supposed to be a reseed count that forces reseeding after a certain interval. Table 3 in SP 800-90A gives the recommended number of iterations for a given security strength.
The existing RNG we were using was based on CTR_DRBG, but missing a few pieces which you very correctly point out. Thanks! I've tried to make it as complying as possible, without reseeding now.


http://llvm-reviews.chandlerc.com/D1802

More information about the llvm-commits mailing list