memory pages nulling when releasing

Dan Lukes dan at obluda.cz
Mon Jun 19 10:12:05 UTC 2006 

R. B. Riddick napsal/wrote, On 06/18/06 22:39:
>> Well, providing zeroed pages to processes is not quite similar to
>> explicit cleaning of pages after use as some security standards
>> demand.

> (aa) root access (for reading /dev/mem (or what would it be?))
> and/or

> Instead of zero'ing pages immediately after the process does not need them
> anymore, it would be much better, to keep the system safe (especially: security
> relevant software patches; and (even more) physical safety)
> 
> Or maybe I missed something... :-)

	Yes, you missed, I think. You are true - you need physical security, 
you need "no root access for intruders". It's absolutely vital base 
measures. But "is necessary for" is not the same as "is sufficient for" 
nor "there is no reason to do more". No wall is unbreakable, so you may 
decide to build other "supporting walls"

	Despite of all your safety measures, someone may gain root access. When 
someone gain root then he has access to all memory. But even if he has 
access to all memory, he has no access to information that aren't within 
memory. Thus, keeping sensitive informations within memory for short 
time only MAY reduce the risk level. The intruder need wait for 
information to appear in memory again - but it cost time. It increase 
possibility the intrusion will be detected and intruder eliminated 
before they can grab any sensitive information.

	I don't tell we must clear all memory on free for generic safety - i 
tell that your "zero'ing pages immediately after the process does not 
need them anymore" is not true in general. There are situation that 
zeroing may reduce the risk, so the request for it may be eligible.

  ---------------

	To Nick: OS doesn't zero on free. For better security of your sensitive 
data you need zero the memory by self. For inspiration I recommend to 
see the CRYPT_malloc/CRYPT_free implementation in OpenSSL. Don't forget 
the edge situations also (when your program can prematurely exits, you 
need the clean the key memory on "atexit" or so). You may need to avoid 
swapping of memory with sensitive data also - see man mlock.

	But security knows no simple measures. You need think carefully about 
your specific situation then decide what measures are appropriate. More 
security measures may not cause more real security - it can have 
opposite effect also.

					Dan


-- 
Dan Lukes                                   SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz,dan at kolej.mff.cuni.cz

More information about the freebsd-security mailing list