Much ado about randomness. What is really a random number?

Much Ado About Randomness Aleksandr Yampolskiy, Ph.D.

Randomness Random number generation is easy to get wrong.

In Theory ,[object Object],[object Object],[object Object],[object Object],[object Object]

In Practice ,[object Object],[object Object],[object Object],[object Object],[object Object]

Example #1 ,[object Object],[object Object],[object Object],X Windows “magic cookie” used a weak LCG generator and was guessable in X11R6.

Example #2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Jetty 4.2.26 used java.util.Random to generate predictable session ID which could be brute-forced.

Example #3 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],bad! In 1996, two UC Berkeley students reverse exploit Netscape 1.1

Lessons Learnt ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Two Types of Randomness ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

What is (Pseudo)-Random? PRG random seed pseudorandom string ,[object Object],[object Object],01010111001… 1001

What is (Pseudo)-Random? (cont.) PRG random seed pseudorandom string random string look indistinguishable to any efficient observer Definition [Blum-Micali-Yao]: PRG is a polytime function whose output is indistinguishable from random by any efficient observer 01010111001… 11010011010… 1001

Attacking Weak PRGs Find programs with weak PRG Break-in Guess the initial seed of a PRG Guess the state of a PRG

Finding programs with weak PRG ,[object Object],[object Object],[object Object],[object Object],[object Object]

Finding programs with weak PRG (cont.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Know Weak API ,[object Object],[object Object]

Reverse Engineering The Binaries ,[object Object],root# javap -c BadRandom | grep Random Compiled from "BadRandom.java" public class BadRandom extends java.lang.Object{ public BadRandom(); 0: new #2; //class java/util/Random 4: invokespecial #3; //Method java/util/Random."<init>":()V 24: invokevirtual #9; //Method java/util/Random.nextInt:()I

Reverse Engineering the Binaries ,[object Object],[object Object],root# strings bad_random __gmon_start libc.so.6 _IO_stdin_used srand time printf … root# nm bad_random | grep rand U rand@@GLIBC_2.0 U srand@@GLIBC_2.0

Analyzing the Output Without Binaries ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

java.util.Random Random" points plotted on acube using the infamousRANDU algorithm. ,[object Object],[object Object]

java.security. SecureRandom class SpinStop extends Throwable { SpinStop() {} } class SpinSlave extends Thread { long millis; Thread parent; SpinSlave(long millis, Thread parent) { this.millis= millis; this.parent= parent; } public void run() { try { Thread.sleep(millis); parent.stop(new SpinStop()); stop(); } catch (InterruptedException ex) { parent.stop(ex); } } } class SpinMaster extends Thread { long millis; long counter; SpinMaster(long millis) { this.millis= millis; this.counter= 0; } public void run() { try { Thread t= new SpinSlave(millis, this); t.start(); while (true) { counter ++; Thread.yield(); } } catch (SpinStop s) { } } } public class Spinner { public static long spin(long millis) throws InterruptedException { SpinMaster t= new SpinMaster(millis); t.start(); t.join(); return t.counter; } } SHA1PRNG + Thread Scheduling

Entropy of java.util.Random ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Is java.security.SecureRandom that much worse than java.util.Random? ,[object Object],[object Object],[object Object],[object Object],[object Object]

Hacking Java bytecode to use SecureRandom ,[object Object],[object Object],[object Object],public class ChangeMethodCallAdapter extends MethodAdapter { @Override public void visitMethodInsn(int opcode, String owner, String name, String desc) { System.out.println("ChangeMethodCallAdapter(): opcode=" + opcode + ",owner=" + owner + ",name=" + name + ",desc=" + desc); if ("java/util/Random".equals(owner)) { mv.visitMethodInsn(opcode, "java/security/SecureRandom", name, desc); } else { mv.visitMethodInsn(opcode, owner, name, desc); } } gilt-ml-ayampolskiy:ClassTransformer ayampolskiy$ javap -c API | grep Random 8: new #5; //class java/util/Random 12: invokespecial #6; //Method java/util/Random."<init>":()V 27: invokevirtual #7; //Method java/util/Random.nextInt:(I)I gilt-ml-ayampolskiy:new ayampolskiy$ javap -c API | grep Random 8: new #28; //class java/util/Random 12: invokespecial #31; //Method java/security/SecureRandom."<init>":()V 27: invokevirtual #35; //Method java/security/SecureRandom.nextInt:(I )I

Google Hacking ,[object Object],[object Object],[object Object],[object Object]

Testing Randomness of Client Programs ,[object Object],[object Object]

“ We could not arrest or charge this suspect because technically, no offence was being committed as there was no legislation in place to say that the act being committed was criminal. So, we had to let him go,” said Sergeant Jemesa Lave of the Fiji Police Cyber Crime Unit.

Amazon.com experiment ,[object Object]

Testing Randomness of Web-Based Programs ,[object Object],[object Object]

WebScarab – Predictable Cookies Entropy is a measure of uncertainty regarding a discrete random variable. For many purposes, the Shannon entropy is the only measure needed. Shannon entropy is defined byShannon (4.1) has the unit bits. Not amazon.com

BurpSuite – amazon.com Typical amazon.com session-id 18 0-3029497-6907862

Conclusion ,[object Object],[object Object],[object Object],[object Object]

References ,[object Object],[object Object]

Much ado about randomness. What is really a random number?

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Much ado about randomness. What is really a random number?

Semelhante a Much ado about randomness. What is really a random number? (20)

Mais de Aleksandr Yampolskiy

Mais de Aleksandr Yampolskiy (19)

Último

Último (20)

Much ado about randomness. What is really a random number?

Notas do Editor