[PATCH] Adding diversity for security

Robinson, Paul Paul_Robinson at playstation.sony.com
Fri Jan 24 10:48:55 PST 2014

> >         Also, at the very least, adding the RNG should be split out
> >         into a separate patch.
> >

Amen to that, brother.

> >
> >     Why? We usually land supporting facilities together with the first
> >     use for ease of review and testing.

Sometimes.  Other times they're done independently.  Depends on the
size and complexity of the pieces.

> >
> >
> > Especially for integrating with foreign code, we do separate patches
> > (even sometimes separate discussions on llvmdev), consult e.g. the
> > additions of MD5 and zlib.
> The RNG in the patch is a small class with LLVM's existing MD5
> implementation being the only dependency.

But the choice of MD5 for this purpose is inherently suspect.

My own security days are over a decade behind me but it's not hard 
to find serious objections to using a hash function as the core of 
a PRNG.  F'rinstance [1] goes into some detail, once you get past 
the list of objections to the original post/question on that thread.
I haven't found any published statistical analysis of an MD5-based 
RNG to put the nails in the coffin but I am persuaded that it's not 
such a great idea.  It is _specifically_ _not_ a crypto-level RNG.

Most of the motivation to use MD5 in this mode seems to boil down 
to the obviously flawed syllogism:
(a) MD5 was invented by a crypto guru
(b) crypto == good
(c) therefore MD5 == good for purposes other than what it was
    designed for
This is a general critique, lots of people (who aren't crypto or
security trained) tend to think this way, as evidenced by the
number of MD5-based RNGs you can find on the web.

[1] http://security.stackexchange.com/questions/21277/create-a-variants-of-md5

P.S. I'm not taking a position on the value of the NOP feature, just
mouthing off about the RNG piece of it.

More information about the llvm-commits mailing list