Wheel of Fortune: Analyzing Embedded OS Random Number Generators

Presented at 33C3 (2016), Dec. 28, 2016, 1:45 p.m. (30 minutes)

Secure random number generators play a crucial role in the wider security ecosystem. In the absence of a dedicated hardware True Random Number Generator (TRNG), computer systems have to resort to a software (cryptographically secure) Pseudo-Random Number Generator (CSPRNG). Since the (secure) design of a CSPRNG is an involved and complicated effort and since randomness is such a security-critical resource, many operating systems provide a CSPRNG as a core system service and many popular security software products assume their presence. The constraints imposed by the embedded world, however, pose a variety of unique challenges to proper OS (CS)PRNG design and implementation which have historically resulted in security failures. In this talk we will discuss these challenges, how they affect the quality of (CS)PRNGs in embedded operating systems and illustrate our arguments by means of the first public analysis of the OS random number generators of several popular embedded operating systems.

Randomness is a fundamental, security-critical resource in the wider security ecosystem utilized by everything from cryptographic software (eg. key and nonce generation) to exploit mitigations (eg. ASLR and stack canary generation). Ideally secure random number generation is done using a dedicated hardware True Random Number Generator (TRNG) collecting entropy from physical processes such as radioactive decay or shot noise. TRNGs, however, are both relatively slow in their provision of random data and often too expensive to integrate in a system which means computer systems have to resort to a software (cryptographically secure) Pseudo-Random Number Generator (CSPRNG). Such a CSPRNG is seeded (both initially and continuously) from a variety of sources of 'true' entropy which are effectively stretched into additional pseudo-random data using cryptographic methods. Since the design and implementation of such CSPRNGs is a complicated and involved effort, many operating systems provide one as a system service (eg. /dev/(u)random on UNIX-like systems) and as a result many security software suites assume their existence.

The embedded world, however, poses a variety of unique challenges (resulting from constraints and deployment scenarios, which differ significantly from the general-purpose world) when designing and implementing (CS)PRNGs. Resulting inadequacies in embedded OS random number generators have led to various security failures in the past (from weak cryptographic keys in network devices to broken exploit mitigations in smartphones) emphasizing the need for public scrutiny of their security, especially considering the nature of embedded system deployments (in everything from vehicles and critical infrastructure to networking equipment) and the sheer variety of ebmedded operating systems compared to the general-purpose world. In this talk we will discuss various challenges posed by the embedded world to (CS)PRNG design and implementation and illustrate our arguments by means of the first public analysis of the OS random number generators of several popular embedded operating systems and a discussion of how their flaws related to these previously identified challenges.

Presenters:

• Ali Abbasi
  Ali Abbasi is a Ph.D. candidate in Distributed and Embedded System Security group at the University of Twente, The Netherlands and visiting Ph.D. researcher at the Chair of Systems Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. He received his master degree in Computer Science from Tsinghua University, Beijing, China in 2013. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. He is currently doing his research at the Chair of Systems Security of Ruhr-University Bochum regarding designing system-level protection mechanisms to battle against the sophisticated memory corruption and code-reuse attacks against PLCs and other critical real-time embedded systems. Before that Ali was working as Head of Vulnerability Analysis and Penetration Testing Group at National Computer Security Incident Response Team (CSIRT) at the Sharif University of Technology in Tehran, Iran.
• Jos Wetzels
  Jos Wetzels is a Research Assistant with the Distributed and Embedded System Security (DIES) Group at the University of Twente. He currently works on projects aimed at hardening embedded systems used in critical infrastructure (as part of the PREEMPTIVE European Union project (FP7)), where he focuses on binary security in general and exploit development and mitigations in particular, and has been involved in the AVATAR research project regarding on-the-fly detection and containment of unknown malware and Advanced Persistent Threats. He has assisted teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years.

Links:

• https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7949.html

Similar Presentations:

• Summercon 2014 / Exploiting Randomness: Fun Attacks Using a Compromised Random Number Generator
• 32C3 (2015) / The plain simple reality of entropy: Or how I learned to stop worrying and love urandom
• Kiwicon X: The Truth is In Here (2016) / Not So Random - Exploiting Unsafe Random Number Generator Use