
Ask HN: Blocking os.urandom calls in Python = 3.6 - jbaviat
In Python 3.6 os.urandom went blocking [1]. As an attacker, how would you destroy the system&#x27;s entropy to make these calls block (and thus make Python block)? E.g. uuid.uuid4 is now blocking [2].<p>[1] https:&#x2F;&#x2F;www.python.org&#x2F;dev&#x2F;peps&#x2F;pep-0524&#x2F;<p>[2] https:&#x2F;&#x2F;github.com&#x2F;python&#x2F;cpython&#x2F;blob&#x2F;8b9c33ea9ce902f902c9d9900121010801950547&#x2F;Lib&#x2F;uuid.py#L759
======
detaro
What do you mean by "destroy the system's entropy"/what attack scenario do you
see?

~~~
jbaviat
Let's assume I'm using Python 3.6. All my calls to os.urandom (such as
uuid.uuid4) can block if my system's entropy goes down. Let's assume as an
attacker, I can reduce the system's entropy up to making all calls to e.g.
uuid.uuid4 blocking, potentially making my Python blocking everythime.

~~~
wahern
IIUC, os.urandom(16) reads the urandom pool using getrandom() without flags.
It will only block, if at all, during a short period after boot until the
urandom pool is initialized. Thereafter reading from the urandom pool will
never block as there's no way to drain it.

