Date: Mon, 19 Jun 2006 12:11:45 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: memory pages nulling when releasing Message-ID: <44967861.6070509@obluda.cz> In-Reply-To: <20060618203903.31161.qmail@web30306.mail.mud.yahoo.com> References: <20060618203903.31161.qmail@web30306.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
R. B. Riddick napsal/wrote, On 06/18/06 22:39: >> Well, providing zeroed pages to processes is not quite similar to >> explicit cleaning of pages after use as some security standards >> demand. > (aa) root access (for reading /dev/mem (or what would it be?)) > and/or > Instead of zero'ing pages immediately after the process does not need them > anymore, it would be much better, to keep the system safe (especially: security > relevant software patches; and (even more) physical safety) > > Or maybe I missed something... :-) Yes, you missed, I think. You are true - you need physical security, you need "no root access for intruders". It's absolutely vital base measures. But "is necessary for" is not the same as "is sufficient for" nor "there is no reason to do more". No wall is unbreakable, so you may decide to build other "supporting walls" Despite of all your safety measures, someone may gain root access. When someone gain root then he has access to all memory. But even if he has access to all memory, he has no access to information that aren't within memory. Thus, keeping sensitive informations within memory for short time only MAY reduce the risk level. The intruder need wait for information to appear in memory again - but it cost time. It increase possibility the intrusion will be detected and intruder eliminated before they can grab any sensitive information. I don't tell we must clear all memory on free for generic safety - i tell that your "zero'ing pages immediately after the process does not need them anymore" is not true in general. There are situation that zeroing may reduce the risk, so the request for it may be eligible. --------------- To Nick: OS doesn't zero on free. For better security of your sensitive data you need zero the memory by self. For inspiration I recommend to see the CRYPT_malloc/CRYPT_free implementation in OpenSSL. Don't forget the edge situations also (when your program can prematurely exits, you need the clean the key memory on "atexit" or so). You may need to avoid swapping of memory with sensitive data also - see man mlock. But security knows no simple measures. You need think carefully about your specific situation then decide what measures are appropriate. More security measures may not cause more real security - it can have opposite effect also. Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44967861.6070509>