ISAAC rng needs to detect forks, change its seed #16799
Comments
|
Forking at all with the standard library has completely undefined behaviour. There are bigger problems than the task-local RNG so I don't really think it can be considered a bug in isolation. Rust's standard library isn't really a library, it's a managed framework that runs your code and you have to obey certain rules. See #9568 |
|
The task-local RNG does reseed itself from the OS every few kilobytes, so this is a problem after forking, but only a temporary one. |
|
It may be handy to be able to register handlers (from external libraries like rust-crypto) to be called (automatically or manually) after a fork occurred. The #6930 could had helped. |
This is an important security issue. Some quick search for recent CVEs: |
|
An interesting post on this subject: https://blog.0xbadc0de.be/archives/218
The #9568 should be reopened. |
|
@sfackler, CVE-2013-1900 is about PostgreSQL as well (https://github.com/sfackler/rust-postgres) |
|
This RNG should not be used for cryptographically sensitive tasks;
|
|
@l0kod: Rust's runtime doesn't support |
It's not a security issue for pure safe code but it may be needed to use an (unsafe) However, this manual solution doesn't address the problem of foreign code (binding) using |
|
A library making use of |
|
Forking with the runtime is known to be unsupported. There are dozens of reasons why it is broken / completely memory unsafe. If you want it to be supported, then file an RFC about supporting it as a whole. You'll need to come up with a clear design for making it work properly. An individual problem resulting from the choice not to support |
|
Does this continue to be problematic with the runtime changes? |
1 similar comment
|
Does this continue to be problematic with the runtime changes? |
|
@apoelstra this is still applicable to libstd, yes, because the default |
|
@alexcrichton can we reopen this issue? The above discussion landed on "well forking is going to cause nasal daemons anyway because the runtime doesn't support it" but now we don't have a runtime and I expect that forking can be done without trouble .... except for this nasty RNG problem. |
|
I think calling not reseeding here "nasty" is a bit of an overstatement: the random numbers are just used by the HashMap to mitigate HashDoS attacks, they are not exposed elsewhere. There has even been discussion of using the same seeds for all HashMaps in an program, which has basically the same result as this does when forking. |
|
I agree that this isn't an issue for HashMap itself (or rather, it's not a problem for SipHash), but the original CVE's cited were for reseeding OpenSSL's entropy pool (for generating private keys, presumably). That said: Rust doesn't have official RNG anymore. It's all in the |
|
@huonw that's an excellent point actually! @apoelstra in light of that I believe this issue would be most appropriately against the rand crate rather than this repo (as this isn't actually any issue either way in libstd today) |
The
IsaacCSPRNG shipped in the standard library does not detect forking, which means that if a process forks, the result will be two processes with RNG's with identical state, a very dangerous situation.IIRC the stdlib does not support forking, but it's certainly possible by interfacing with POSIX code. Maybe it will require changes to the task model to support. (I know that is on the docket, so something to consider..)
This is also a problem for the pending Fortuna PR in rust-crypto, which won't be accepted until it's dealt with... so I'm bugging it here in the hopes that you guys will know how to fix it :)
The text was updated successfully, but these errors were encountered: