From owner-freebsd-security@FreeBSD.ORG Mon Jun 19 10:12:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D20E16A47C for ; Mon, 19 Jun 2006 10:12:05 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4339D43D9C for ; Mon, 19 Jun 2006 10:11:49 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k5JAC4Zv028017 for ; Mon, 19 Jun 2006 12:12:05 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <44967861.6070509@obluda.cz> Date: Mon, 19 Jun 2006 12:11:45 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.4) Gecko/20060605 SeaMonkey/1.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20060618203903.31161.qmail@web30306.mail.mud.yahoo.com> In-Reply-To: <20060618203903.31161.qmail@web30306.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: memory pages nulling when releasing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 10:12:05 -0000 R. B. Riddick napsal/wrote, On 06/18/06 22:39: >> Well, providing zeroed pages to processes is not quite similar to >> explicit cleaning of pages after use as some security standards >> demand. > (aa) root access (for reading /dev/mem (or what would it be?)) > and/or > Instead of zero'ing pages immediately after the process does not need them > anymore, it would be much better, to keep the system safe (especially: security > relevant software patches; and (even more) physical safety) > > Or maybe I missed something... :-) Yes, you missed, I think. You are true - you need physical security, you need "no root access for intruders". It's absolutely vital base measures. But "is necessary for" is not the same as "is sufficient for" nor "there is no reason to do more". No wall is unbreakable, so you may decide to build other "supporting walls" Despite of all your safety measures, someone may gain root access. When someone gain root then he has access to all memory. But even if he has access to all memory, he has no access to information that aren't within memory. Thus, keeping sensitive informations within memory for short time only MAY reduce the risk level. The intruder need wait for information to appear in memory again - but it cost time. It increase possibility the intrusion will be detected and intruder eliminated before they can grab any sensitive information. I don't tell we must clear all memory on free for generic safety - i tell that your "zero'ing pages immediately after the process does not need them anymore" is not true in general. There are situation that zeroing may reduce the risk, so the request for it may be eligible. --------------- To Nick: OS doesn't zero on free. For better security of your sensitive data you need zero the memory by self. For inspiration I recommend to see the CRYPT_malloc/CRYPT_free implementation in OpenSSL. Don't forget the edge situations also (when your program can prematurely exits, you need the clean the key memory on "atexit" or so). You may need to avoid swapping of memory with sensitive data also - see man mlock. But security knows no simple measures. You need think carefully about your specific situation then decide what measures are appropriate. More security measures may not cause more real security - it can have opposite effect also. Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz