I gave two presentations today at the OpenStack Design Summit in sunny San Diego, CA, as we prepare for the Grizzly development cycle.
In this presentation, I spent about 40 minutes discussing several research papers over the last 6 years showing the problems with entropy and randomness in cloud computing. Namely:
- The Analysis of the Linux Random Number Generator (2006)
- The iSEC Partners Presentation at BlackHat (2009)
- Minding your P's and Q's (2012)
There's two pieces of the entropy problem in OpenStack and cloud computing that I'm interested in helping improve:
- Better initial seeds for the psuedo random number generator at instance initialization
- Better ongoing entropy gathering throughout the lifetime of the instance.
- The hypervisor could provide a random seed through a block device to the guest
- The hypervisor could expose a urandom device through the metadata service
- Actually, I'm sitting next to Scott Moser right now, who attended my talk earlier today and merely hours after my talk, he has already hacked this into the OpenStack metadata service :-) His merge proposal is here. This is why I love open source software...
- There's lots more to say about this one...I'll have another post on this soon!
- Eventually, a new wave of cloud servers with modern CPUs will have Intel's DRNG feature and leverage the new rdrand instruction
- Unfortunately, we're probably a little ways off from that being widely available
- Colin King has benchmarked it -- really impressive performance!