Welcome to the Entropics: Boot-Time Entropy in Embedded Devices

Abstract: We present three techniques for extracting entropy during boot on embedded devices. Our first technique times the execution of code blocks early in the Linux kernel boot process. It is simple to implement and has a negligible runtime overhead, but, on many of the devices we test, gathers hundreds of bits of entropy. Our second and third techniques, which run in the bootloader, use hardware features-DRAM decay behavior and PLL locking latency, respectively-and are therefore less portable and less generally appl… Show more

“…Of course, one cannot hope to fully characterize software entropy sources in complex, modern systems, and instead we will use empirical estimates as also done by prior RNG analyses [9,23]. When estimating complexity of attacking an RNG, we will be conservative whenever possible (letting the adversary know more than realism would dictate).…”

“…We also include one special mechanism for quickly initializing (or refreshing) the entropy of Whirlwind, which is needed to prevent a boot-time entropy hole (like the ones in the legacy RNG, see Section IV) and to recover from a VM reset. For boot time, we would have liked to use the recent suggestion of Mowery et al [23] to quickly generate entropy in the initial stages of boot via timing of functions in the kernel init function. Unfortunately, this is not fast enough for us, since we observe reads to the RNG early in init.…”

“…We have not yet evaluated Whirlwind's entropy accumulation on low-end systems, such as embedded systems [12,23]. In particular, here the cycle timing loop may provide less uncertainty because embedded system CPUs themselves have less non-determinism.…”

“…It directly addresses the newly uncovered deficiencies, as well as other long-known problems with the Linux RNG. Here we are motivated by, and build off of, a long line of prior work: pointing out the troubling complexity of the /dev/random and /dev/urandom RNG system [6,11,18]; showing theoretical weaknesses in the entropy accumulation process [6]; designing multipool RNGs without explicit entropy counters [13,21]; and showcasing the utility of instruction and operation timing to quickly build entropy [1, 23,24].…”

“…We do caution that more analysis will be needed before widespread deployment, since the Linux RNGs must work in diverse environments. For example, future analysis will include low-end embedded systems, another problematic setting [11,12,23]. Towards this, we are in the process of making Whirlwind ready for public, open-source release.…”

Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

“…Of course, one cannot hope to fully characterize software entropy sources in complex, modern systems, and instead we will use empirical estimates as also done by prior RNG analyses [9,23]. When estimating complexity of attacking an RNG, we will be conservative whenever possible (letting the adversary know more than realism would dictate).…”

“…We also include one special mechanism for quickly initializing (or refreshing) the entropy of Whirlwind, which is needed to prevent a boot-time entropy hole (like the ones in the legacy RNG, see Section IV) and to recover from a VM reset. For boot time, we would have liked to use the recent suggestion of Mowery et al [23] to quickly generate entropy in the initial stages of boot via timing of functions in the kernel init function. Unfortunately, this is not fast enough for us, since we observe reads to the RNG early in init.…”

“…We have not yet evaluated Whirlwind's entropy accumulation on low-end systems, such as embedded systems [12,23]. In particular, here the cycle timing loop may provide less uncertainty because embedded system CPUs themselves have less non-determinism.…”

“…It directly addresses the newly uncovered deficiencies, as well as other long-known problems with the Linux RNG. Here we are motivated by, and build off of, a long line of prior work: pointing out the troubling complexity of the /dev/random and /dev/urandom RNG system [6,11,18]; showing theoretical weaknesses in the entropy accumulation process [6]; designing multipool RNGs without explicit entropy counters [13,21]; and showcasing the utility of instruction and operation timing to quickly build entropy [1, 23,24].…”

“…We do caution that more analysis will be needed before widespread deployment, since the Linux RNGs must work in diverse environments. For example, future analysis will include low-end embedded systems, another problematic setting [11,12,23]. Towards this, we are in the process of making Whirlwind ready for public, open-source release.…”

Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG

A Formal Treatment of Backdoored Pseudorandom Generators

The OpenWRT’s Random Number Generator Designed Like /dev/urandom and Its Vulnerability