Entropy-supplying system calls

Last updated

Entropy-supplying system calls are system calls in Unix-like operating system kernels through which processes can obtain entropic or random data. The first of these was getentropy, introduced to the OpenBSD operating system in release 5.6 (November 2014), as a refactoring of the sysctl(3) KERN_ARND approach used since 1997. [1] Linux offers a very similar system call, getrandom, which was based on getentropy. [2] It was first available in Linux 3.17, released in October 2014. [3] In July 2015, Solaris introduced slightly modified versions of getentropy and getrandom. [4] In August 2015, FreeBSD introduced the read_random system call for obtaining random data from the kernel. [5]

Contents

These system calls allow processes to access quality random data without opening and reading from randomness pseudo-devices.

Microsoft Windows' CryptGenRandom and Apple iOS's SecRandom API are very similar. However, they are not implemented as system calls.

Motivation

Traditionally, Unix-like operating systems supply random data through two pseudo-devices: /dev/random and /dev/urandom . However, safely and reliably reading random data from these devices can be difficult and complicated. For example, an attacker could interfere with a process's access to the pseudo-devices by opening all available file descriptors, or through a similar form of resource exhaustion attack. The use of these devices also interferes with privilege revocation. Unprivileged processes are often denied the ability to open and read files and devices, and the randomness devices are not even visible to chrooted processes.

The difficulty of using randomness pseudo-devices often leads developers to use standard library functions instead. Some of these, such as the C programming language's rand() , POSIX's random(), and drand48(), are very unsafe when used for cryptography or similar applications, because these algorithms are actually deterministic, having been intentionally crippled to satisfy seed-reuse requirements through the interfaces srand(), srandom(), and srand48().

A significant difference exists between these calls: getentropy() guarantees that random numbers will be returned immediately, without any blocking. It requires operating support which guarantees random data stream initialization at the earliest opportunity. To encourage other operating systems follow this model, getentropy() cannot indicate errors to the application. Other calls described here may return errors instead, or block indeterminately. Such blocking semantics have been implicated in significant problems. [6]

As security becomes a more widespread priority in software development, quality randomness is used more often and in more contexts. Because of this, providing quality randomness is increasingly considered a core responsibility of the kernel. System calls are the traditional interface through which a process uses core kernel services, and kernels are therefore supporting accessing randomness through system calls.

Usage

Because it is faster and adds another layer of entropy mixing, it is usually suggested that processes use these syscalls' data through a userspace cryptographically secure pseudorandom number generator (CSPRNG) rather than assigning the retrieved data directly to variables. For this purpose, OpenBSD's C standard library includes the function arc4random , which programs are expected to call when they need random data. [1] Like getentropy, arc4random also may not block nor return an error.

This approach allows a program to fetch less entropy from the kernel without reducing the strength of its random data. The getentropy system call is designed based on this assumption, supplying no more than 256 bytes per call. [1] [7]

See also

Related Research Articles

A monolithic kernel is an operating system architecture where the entire operating system is working in kernel space. The monolithic model differs from other operating system architectures in that it alone defines a high-level virtual interface over computer hardware. A set of primitives or system calls implement all operating system services such as process management, concurrency, and memory management. Device drivers can be added to the kernel as modules.

The Open Sound System (OSS) is an interface for making and capturing sound in Unix and Unix-like operating systems. It is based on standard Unix devices system calls. The term also sometimes refers to the software in a Unix kernel that provides the OSS interface; it can be thought of as a device driver for sound controller hardware. The goal of OSS is to allow the writing of sound-based applications that are agnostic of the underlying sound hardware.

dd is a command-line utility for Unix, Plan 9, Inferno, and Unix-like operating systems and beyond, the primary purpose of which is to convert and copy files. On Unix, device drivers for hardware and special device files appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.

A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

In Unix and Unix-like computer operating systems, a file descriptor is a process-unique identifier (handle) for a file or other input/output resource, such as a pipe or network socket.

<span class="mw-page-title-main">Pseudoterminal</span>

In some operating systems, including Unix and Linux, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish asynchronous, bidirectional communication (IPC) channel between two or more processes. The master provides means by which a terminal emulator process controls the slave. The slave, emulates a hardware text terminal device. PTY are similar to bidirectional pipes.

<span class="mw-page-title-main">/dev/random</span> Pseudorandom number generator file in Unix-like operating systems

In Unix-like operating systems, /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudorandom number generators. They allow access to environmental noise collected from device drivers and other sources. /dev/random typically blocked if there was less entropy available than requested; more recently it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for /dev/random and /dev/urandom.

A random password generator is software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password. Random passwords can be generated manually, using simple sources of randomness such as dice or coins, or they can be generated using a computer.

Fortuna is a cryptographically secure pseudorandom number generator (PRNG) devised by Bruce Schneier and Niels Ferguson and published in 2003. It is named after Fortuna, the Roman goddess of chance. FreeBSD uses Fortuna for /dev/random and /dev/urandom is symbolically linked to it since FreeBSD 11. Apple OSes have switched to Fortuna since 2020 Q1.

The proc filesystem (procfs) is a special filesystem in Unix-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional tracing methods or direct access to kernel memory. Typically, it is mapped to a mount point named /proc at boot time. The proc file system acts as an interface to internal data structures about running processes in the kernel. In Linux, it can also be used to obtain information about the kernel and to change certain kernel parameters at runtime (sysctl).

<span class="mw-page-title-main">Random number generation</span> Producing a sequence that cannot be predicted better than by random chance

Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular outcome sequence will contain some patterns detectable in hindsight but unpredictable to foresight. True random number generators can be hardware random-number generators (HRNGS) that generate random numbers, wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-called "random number generations" done by pseudorandom number generators (PRNGs) that generate numbers that only look random but are in fact pre-determined—these generations can be reproduced simply by knowing the state of the PRNG.

In computing, ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give userspace access to kernel functions which are only used by core system software or still under development.

Data scrubbing is an error correction technique that uses a background task to periodically inspect main memory or storage for errors, then corrects detected errors using redundant data in the form of different checksums or copies of data. Data scrubbing reduces the likelihood that single correctable errors will accumulate, leading to reduced risks of uncorrectable errors.

The OpenBSD operating system focuses on security and the development of security features. According to author Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms."

In Unix-like operating systems, a loop device, vnd, or lofi is a pseudo-device that makes a computer file accessible as a block device.

CryptGenRandom is a deprecated cryptographically secure pseudorandom number generator function that is included in Microsoft CryptoAPI. In Win32 programs, Microsoft recommends its use anywhere random number generation is needed. A 2007 paper from Hebrew University suggested security problems in the Windows 2000 implementation of CryptGenRandom. Microsoft later acknowledged that the same problems exist in Windows XP, but not in Vista. Microsoft released a fix for the bug with Windows XP Service Pack 3 in mid-2008.

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.

In Unix-like operating systems, a device file or special file is an interface to a device driver that appears in a file system as if it were an ordinary file. There are also special files in DOS, OS/2, and Windows. These special files allow an application program to interact with a device by using its device driver via standard input/output system calls. Using standard system calls simplifies many programming tasks, and leads to consistent user-space I/O mechanisms regardless of device features and functions.

<span class="mw-page-title-main">Unix</span> Family of computer operating systems

Unix is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.

The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an operating system. It is part of the OpenBSD Project, having been included in the operating system since OpenBSD 2.8. Like other OpenBSD projects such as OpenSSH, it has been ported to other systems based on Berkeley Unix such as FreeBSD and NetBSD, and to Solaris and Linux. One of the Linux ports is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source Apache HTTP Server.

References

  1. 1 2 3 "getentropy(2) OpenBSD man page". OpenBSD manual pages. OpenBSD. Retrieved 27 May 2016.
  2. "[PATCH, RFC] random: introduce getrandom(2) system call". LKML. 17 July 2014. Retrieved 30 December 2015.
  3. "Linux 3.17". Linux Kernel Newbies. Retrieved 30 December 2015.
  4. Darren, Moffat. "Solaris new system calls: getentropy(2) and getrandom(2)". /dev/urandom. Oracle. Archived from the original on 2 August 2017. Retrieved 3 January 2016.
  5. "Revision r286839". svnweb.freebsd.org. FreeBSD. Retrieved 29 August 2017.
  6. "Python blocks during boot" . Retrieved 28 April 2017.
  7. "arc4random(3) OpenBSD man page". OpenBSD manual pages. OpenBSD. Retrieved 27 May 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.