Rapid depletion of entropy pool
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Wishlist
|
Unassigned | ||
Bug Description
I was noticing that on several of my servers the available entropy has been exceedingly low for the last 6-7 months. My guess is this problem began with Ubuntu 9.10 and continues in Ubuntu 10.04. I came across some useful information here:
http://
And I confirmed that running:
watch cat /proc/sys/
will rapidly deplete the entropy pool. But running the python script:
import sys, time
while True:
sys.stdout.
time.sleep(1)
will not rapidly deplete the entropy pool. This seems to support the hypothesis that entropy is being drained with each launch of a process which has been linked to the glibc randomized stack protector. Some information about that can be found here:
http://
As many people who have run virtual servers can attest, low entropy on a server can cause a number of difficult to diagnose performance problems as processes block trying to access /dev/random. Low entropy may also lead to a reduction in security for various cryptographic services.
I'm not an expert in these matters and have limited ability to test as many of my servers are running older versions but it does appear that those older versions do not have this behavior. This could also be a kernel issue but I thought I would start here and see if others can replicate this problem and help in diagnosing the issue.
| agent 8131 (agent-8131) wrote : | #1 |
| security vulnerability: | yes → no |
| visibility: | private → public |
| Changed in glibc (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| affects: | glibc (Ubuntu) → linux (Ubuntu) |
| Changed in linux (Ubuntu): | |
| importance: | Wishlist → Undecided |
| importance: | Undecided → Wishlist |
| agent 8131 (agent-8131) wrote : | #2 |
And here, noticed on Gentoo a couple of months ago:
http://
| Kees Cook (kees) wrote : | #3 |
AT_RANDOM is used by default in the Linux kernel since 2.6.29:
Almost all modern Linux systems use ASLR and stack protections that need a small amount of entropy per process. Since urandom always remixes, it doesn't strictly run out, but the entropy drops. In theory, this isn't a problem since the state of the pool cannot be extracted, guessed, or replayed.
It would be nice to have another entropy pool in the kernel for these things, like Schneier's pRNG from the Practical Cryptography book.
| agent 8131 (agent-8131) wrote : | #4 |
"independently of ASLR, it would still be nice if the kernel provided a 'strong' but fast PRNG device that one could for example use to sanitize a harddrive at raw write speeds, something that isn't possible with /dev/urandom for example. if such a PRNG existed it could then of course be used for ASLR as well but ASLR itself can live with less (ditto for the SSP cookie by the way)."
http://
So this is really an upstream Linux kernel request or, at the outside, a request to the kernel team to include an out-of-kernel patch. If such a PRNG existed it could be used for ASLR and SSP and for "(scientific) simulations, wiping the disk, stress tests on algorithms".
The erandom device seems worthy of consideration (http://
| agent 8131 (agent-8131) wrote : | #5 |
I've come across another solution that this would be useful. In the testing of filesystems with compression enabled (zfs, btrfs). Trying to figure out raw write speeds using /dev/zero is meaningless because the data is highly compressed. Using /dev/urandom is too slow (~ 6MB/s). Based on this post from stackoverflow (http://
time openssl rand 1000000000 | head -c 1000000000 > testfile
which worked ok. But being able to use dd with erandom would be ideal for this situation.
| Christopher M. Penalver (penalvch) wrote : | #6 |
agent8131, the patch you requested ( https:/
http://
If this doesn't work out for you, please reopen, and execute the following via a terminal:
apport-collect 575669
Thank you for your understanding.
| Changed in linux (Ubuntu): | |
| status: | Confirmed → Invalid |
| Changed in linux (Ubuntu): | |
| status: | Invalid → Confirmed |
| agent 8131 (agent-8131) wrote : | #7 |
Christopher,
Can you explain how the commit you linked to resolves this issue? The commit seems to place process permissions checks on /proc/pid/stat and /proc/pid/wchan. I do not see how this affects the available entropy unless entropy is being depleted by unauthorized processes accessing those endpoints, which does not seem very likely to me. I doubt I will have time to test trusty before it is released, but once released I will test within a virtual server to see if this issue has been resolved.
| Christopher M. Penalver (penalvch) wrote : | #8 |
agent 8131, pending the test you noted you would perform in https:/
| Changed in linux (Ubuntu): | |
| status: | Confirmed → Incomplete |
| agent 8131 (agent-8131) wrote : | #9 |
Christopher,
You did not address my previous question as to why that patch would resolve this issue.
Am I correct in assuming that you are requesting that I reproduce these conditions in the unreleased 14.04? It should be noted, if not reflected in the bug status, that this is still a confirmed bug for 10.04 LTS and 12.04 LTS. Since the status of a bug may be different for different releases is it the case that the bug status on this ticket is just meant to reflect the state in the current development release? This is not made clear in any of the documentation I've read.
For people coming across this bug report who have experienced application blocking issues due to low available entropy (usually running under some sort of virtualization) one easy solution is to install the haveged package and run that daemon. Whether that provides adequate security is open for debate, but it will prevent application hangs while waiting for sufficient entropy.
| Launchpad Janitor (janitor) wrote : | #10 |
[Expired for linux (Ubuntu) because there has been no activity for 60 days.]
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Expired |
| agent 8131 (agent-8131) wrote : | #11 |
This appears to no longer be a problem in Ubuntu 14.04 or at least I have not been able to replicate it in the same way. This is still a problem for 12.04 however.
| Changed in linux (Ubuntu): | |
| status: | Expired → Fix Released |
More information:
---
http://
The standard version of SSP uses /dev/urandom directly. When a whole system is
built with SSP this tends to consume all the kernel entropy. /dev/erandom is
reccomended [sic] for SSP to conserve kernel entropy.
---
http://
Frandom stands for "fast random". Erandom stands for "economical random".
They both use the arcfour algorithm
The /dev/erandom device uses the constantly changing state of frandom's pool,
in a read-only mode, for entropy. /dev/erandom consumes no entropy from
/dev/random, and is ideal for applications that want to open the device
thousands of times, such as Stack Smashing Protector.
---
So it seems that if every executable is going to use the GCC SSP feature perhaps /dev/urandom is not the best source for random numbers. It could use /dev/erandom if that device was available. And it seems it would be useful to use for random data overwrites where /dev/urandom is too slow.