Entropy-supplying system calls

Entropy-supplying system calls are system calls in Unix-like operating system kernels through which processes can obtain entropic or random data. The first of these was getentropy, introduced to the OpenBSD operating system in release 5.6 (November 2014), as a refactoring of the sysctl(3) KERN_ARND approach used since 1997.[1] Linux offers a very similar system call, getrandom, which was based on getentropy.[2] It was first available in Linux 3.17, released in October 2014.[3] In July 2015, Solaris introduced slightly modified versions of getentropy and getrandom.[4] In August 2015, FreeBSD introduced the read_random system call for obtaining random data from the kernel.[5]

These system calls allow processes to access quality random data without opening and reading from randomness pseudo-devices.

Microsoft Windows' CryptGenRandom and Apple iOS's SecRandom API are very similar. However, they are not implemented as system calls.

Motivation

edit

Traditionally, Unix-like operating systems supply random data through two pseudo-devices: /dev/random and /dev/urandom. However, safely and reliably reading random data from these devices can be difficult and complicated. For example, an attacker could interfere with a process's access to the pseudo-devices by opening all available file descriptors, or through a similar form of resource exhaustion attack. The use of these devices also interferes with privilege revocation. Unprivileged processes are often denied the ability to open and read files and devices, and the randomness devices are not even visible to chrooted processes.

The difficulty of using randomness pseudo-devices often leads developers to use standard library functions instead. Some of these, such as the C programming language's rand(), POSIX's random(), and drand48(), are very unsafe when used for cryptography or similar applications, because these algorithms are actually deterministic, having been intentionally crippled to satisfy seed-reuse requirements through the interfaces srand(), srandom(), and srand48().

A significant difference exists between these calls: getentropy() guarantees that random numbers will be returned immediately, without any blocking. It requires operating support which guarantees random data stream initialization at the earliest opportunity. To encourage other operating systems follow this model, getentropy() cannot indicate errors to the application. Other calls described here may return errors instead, or block indeterminately. Such blocking semantics have been implicated in significant problems.[6]

As security becomes a more widespread priority in software development, quality randomness is used more often and in more contexts. Because of this, providing quality randomness is increasingly considered a core responsibility of the kernel. System calls are the traditional interface through which a process uses core kernel services, and kernels are therefore supporting accessing randomness through system calls.

Usage

edit

Because it is faster and adds another layer of entropy mixing, it is usually suggested that processes use these syscalls' data through a userspace cryptographically secure pseudorandom number generator (CSPRNG) rather than assigning the retrieved data directly to variables. For this purpose, OpenBSD's C standard library includes the function arc4random, which programs are expected to call when they need random data.[1] Like getentropy, arc4random also may not block nor return an error.

This approach allows a program to fetch less entropy from the kernel without reducing the strength of its random data. The getentropy system call is designed based on this assumption, supplying no more than 256 bytes per call.[1][7]

See also

edit

References

edit
  1. ^ a b c "getentropy(2) OpenBSD man page". OpenBSD manual pages. OpenBSD. Retrieved 27 May 2016.
  2. ^ "[PATCH, RFC] random: introduce getrandom(2) system call". LKML. 17 July 2014. Retrieved 30 December 2015.
  3. ^ "Linux 3.17". Linux Kernel Newbies. Retrieved 30 December 2015.
  4. ^ Darren, Moffat. "Solaris new system calls: getentropy(2) and getrandom(2)". /dev/urandom. Oracle. Archived from the original on 2 August 2017. Retrieved 3 January 2016.
  5. ^ "Revision r286839". svnweb.freebsd.org. FreeBSD. Retrieved 29 August 2017.
  6. ^ "Python blocks during boot". Retrieved 28 April 2017.
  7. ^ "arc4random(3) OpenBSD man page". OpenBSD manual pages. OpenBSD. Retrieved 27 May 2016.
edit