Hacker News new | comments | ask | show | jobs | submit login
Ask HN: Blocking os.urandom calls in Python = 3.6
2 points by jbaviat 3 months ago | hide | past | web | favorite | 4 comments
In Python 3.6 os.urandom went blocking [1]. As an attacker, how would you destroy the system's entropy to make these calls block (and thus make Python block)? E.g. uuid.uuid4 is now blocking [2].

[1] https://www.python.org/dev/peps/pep-0524/

[2] https://github.com/python/cpython/blob/8b9c33ea9ce902f902c9d9900121010801950547/Lib/uuid.py#L759

What do you mean by "destroy the system's entropy"/what attack scenario do you see?

Let's assume I'm using Python 3.6. All my calls to os.urandom (such as uuid.uuid4) can block if my system's entropy goes down. Let's assume as an attacker, I can reduce the system's entropy up to making all calls to e.g. uuid.uuid4 blocking, potentially making my Python blocking everythime.

IIUC, os.urandom(16) reads the urandom pool using getrandom() without flags. It will only block, if at all, during a short period after boot until the urandom pool is initialized. Thereafter reading from the urandom pool will never block as there's no way to drain it.

No, entropy can't "go down" and cause os.urandom to suddenly start blocking. Once it has returned a value, it will never block.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact