From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/2704 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: [PATCH] Add support for mkostemp, mkstemps and mkostemps Date: Wed, 30 Jan 2013 14:22:33 -0500 Message-ID: <20130130192233.GP20323@brightrain.aerifal.cx> References: <1359349583-3643-1-git-send-email-basile@opensource.dyc.edu> <20130128093755.GI10600@port70.net> <5108583B.4080002@opensource.dyc.edu> <20130130072108.GN20323@brightrain.aerifal.cx> <5108D2F7.3050207@qomboo.com> <20130130134537.GF6181@port70.net> <20130130165127.GO20323@brightrain.aerifal.cx> <20130130191257.GH6181@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1359573764 26290 80.91.229.3 (30 Jan 2013 19:22:44 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 30 Jan 2013 19:22:44 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-2705-gllmg-musl=m.gmane.org@lists.openwall.com Wed Jan 30 20:23:04 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1U0dFQ-0005eX-Cp for gllmg-musl@plane.gmane.org; Wed, 30 Jan 2013 20:23:04 +0100 Original-Received: (qmail 15472 invoked by uid 550); 30 Jan 2013 19:22:46 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 15449 invoked from network); 30 Jan 2013 19:22:45 -0000 Content-Disposition: inline In-Reply-To: <20130130191257.GH6181@port70.net> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:2704 Archived-At: On Wed, Jan 30, 2013 at 08:12:58PM +0100, Szabolcs Nagy wrote: > * Rich Felker [2013-01-30 11:51:27 -0500]: > > current time. Better use of the stack address in generating the > > filenames could prevent knowing the set of output filenames for a > > range of times without knowing the stack address in the program being > > attacked. In fact, I'm a little bit worried that the current approach > > discloses too much information about the stack address to an attacker. > > If nothing else, I think some shuffling should be done so that the > > (typically more valuable) high bits of the stack address are matched > > with the low (least predictable) bits of the clock. > > void __randname(char *p) > { > struct timespec ts; > unsigned long r; > int i; > > clock_gettime(CLOCK_REALTIME, &ts); > r = ts.tv_nsec*65537 ^ (uintptr_t)&ts / 16 + (uintptr_t)p; > for (i=0; i<6; i++, r>>=5) > p[i] = 'A'+(r&15)+(r&16)*2; > } > > this uses 30bits of r and mixes the random low bits of nsec > into the high bits Keep in mind it might be bits 8-15 that are most valuable with ASLR (assuming the randomization only adjusts by small amounts and not so much to waste lots of address space). I think this needs a little bit more consideration. > > > more significant improvement can be done by larger > > > set of names and better entropy source > > > > Other implementations probably use 36 bits or slightly less (base64 > > perhaps modified base64). > > > > I could see it being feasible to increase this slightly and maybe even > > <= 36bits is probably ok You mean >=36? Or..? Rich