Should Linux wipe memory more often for better security?

Should Linux wipe memory more often for better security?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Should Linux wipe memory more often for better security? plenty900 02-25-2008
Posted by shimp on February 27, 2008, 2:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
phil-news-nospam@ipal.net wrote:
> In comp.os.linux.development.system Bernd Felsche
> | phil-news-nospam@ipal.net wrote:
> |
> |>> It has been known from the beginning that DRAM holds its state a
> |>> while after power is removed. Thats how it works. There is a
> |>> circuit that refreshes it every X milliseconds. But it is a big
> |>> big surprise, at least to me, that data can recovered up to 10
> |>> minutes afterwards!!?
> |
> |>> The only real world ramification I can see is that you should
> |>> completely powerdown your laptop 10 mins before going through a
> |>> security checkpoint. Or unmount crypt stuff and do a memory wipe.
> |
> |>So add a RAM wipe right at the end of the halt sequence (in
> |>addition to other security measures like storing keys in unused
> |>corners of video card SRAM).
> |
> | Scrubbing page tables making a good start. Much quicker than the
> | whole RAM - which could span gigabytes for the well-endowed.
>
> How about a special space set aside in RAM that the kernel is aware of,
> which the storing of keys would make use of in lieu of regular RAM.
> That way the key can get wiped first, and any unencrypted data in the
> rest of RAM can be done later.

Being able to mark pages as 'i need to be wiped' by the kernel would be
cool. Then again the only sure thing is to wipe all memory. Developer
make mistakes, software has design flaws. Best to wipe it all.

>
> How easy would it be to have some addressable memory, even if slower,
> implemented via the PCI bus? A plug in PCI card with some genuine SRAM
> that loses data the instant the power is lost could be used. Even better
> would be to have such a card with crypto hardware in it, so the key never
> needs to be read back in to DRAM once stored in the card when the system
> boots up and the key is provided by the human user.


Hmm that gives me an idea. I bet someone right now today could create a
little battery powered piggyback board that sits between your
motherboard and your RAM modules. It could detect powerdown and do the wipe.

Posted by on February 27, 2008, 3:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
| phil-news-nospam@ipal.net wrote:
|> In comp.os.linux.development.system Bernd Felsche
|> | phil-news-nospam@ipal.net wrote:
|> |
|> |>> It has been known from the beginning that DRAM holds its state a
|> |>> while after power is removed. Thats how it works. There is a
|> |>> circuit that refreshes it every X milliseconds. But it is a big
|> |>> big surprise, at least to me, that data can recovered up to 10
|> |>> minutes afterwards!!?
|> |
|> |>> The only real world ramification I can see is that you should
|> |>> completely powerdown your laptop 10 mins before going through a
|> |>> security checkpoint. Or unmount crypt stuff and do a memory wipe.
|> |
|> |>So add a RAM wipe right at the end of the halt sequence (in
|> |>addition to other security measures like storing keys in unused
|> |>corners of video card SRAM).
|> |
|> | Scrubbing page tables making a good start. Much quicker than the
|> | whole RAM - which could span gigabytes for the well-endowed.
|>
|> How about a special space set aside in RAM that the kernel is aware of,
|> which the storing of keys would make use of in lieu of regular RAM.
|> That way the key can get wiped first, and any unencrypted data in the
|> rest of RAM can be done later.
|
| Being able to mark pages as 'i need to be wiped' by the kernel would be
| cool. Then again the only sure thing is to wipe all memory. Developer
| make mistakes, software has design flaws. Best to wipe it all.

I agree. But maybe we can have some means to designate priority for cases
when CPU operating time might be very limited because AC power to PSU is
gone.


|> How easy would it be to have some addressable memory, even if slower,
|> implemented via the PCI bus? A plug in PCI card with some genuine SRAM
|> that loses data the instant the power is lost could be used. Even better
|> would be to have such a card with crypto hardware in it, so the key never
|> needs to be read back in to DRAM once stored in the card when the system
|> boots up and the key is provided by the human user.
|
|
| Hmm that gives me an idea. I bet someone right now today could create a
| little battery powered piggyback board that sits between your
| motherboard and your RAM modules. It could detect powerdown and do the wipe.

Or maybe a PCI card with DMA?

It could also have a header to attach intrusion detectors and do a system
reset at the same time.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2008-02-27-1454@ipal.net |
|------------------------------------/-------------------------------------|

Posted by shimp on February 27, 2008, 5:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>
> |> How easy would it be to have some addressable memory, even if slower,
> |> implemented via the PCI bus? A plug in PCI card with some genuine SRAM
> |> that loses data the instant the power is lost could be used. Even better
> |> would be to have such a card with crypto hardware in it, so the key never
> |> needs to be read back in to DRAM once stored in the card when the system
> |> boots up and the key is provided by the human user.
> |
> |
> | Hmm that gives me an idea. I bet someone right now today could create a
> | little battery powered piggyback board that sits between your
> | motherboard and your RAM modules. It could detect powerdown and do the wipe.
>
> Or maybe a PCI card with DMA?
>
> It could also have a header to attach intrusion detectors and do a system
> reset at the same time.
>

That would be nice if you could just buy a PCI card and plug it in. But
Im afraid it would have to power the northbridge at least, and maybe the
processor as well. I dunno. I'm not a motherboard engineer. ;D

Hmmm we have ECC RAM, so im sure the industry could create some secure
RAM if there was demand. Short all bits on poweroff.

p.s. The incognito livecd, which has been around for awhile, does do a
memory wipe at shutdown. So kudos to them.

Posted by on February 28, 2008, 12:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
|>
|> |> How easy would it be to have some addressable memory, even if slower,
|> |> implemented via the PCI bus? A plug in PCI card with some genuine SRAM
|> |> that loses data the instant the power is lost could be used. Even better
|> |> would be to have such a card with crypto hardware in it, so the key never
|> |> needs to be read back in to DRAM once stored in the card when the system
|> |> boots up and the key is provided by the human user.
|> |
|> |
|> | Hmm that gives me an idea. I bet someone right now today could create a
|> | little battery powered piggyback board that sits between your
|> | motherboard and your RAM modules. It could detect powerdown and do the wipe.
|>
|> Or maybe a PCI card with DMA?
|>
|> It could also have a header to attach intrusion detectors and do a system
|> reset at the same time.
|>
|
| That would be nice if you could just buy a PCI card and plug it in. But
| Im afraid it would have to power the northbridge at least, and maybe the
| processor as well. I dunno. I'm not a motherboard engineer. ;D

There is a brief instant of time a few thousand cycles can be done.
Maybe that's enough time to wipe a critical page.


| Hmmm we have ECC RAM, so im sure the industry could create some secure
| RAM if there was demand. Short all bits on poweroff.

SRAM. Instead of storing data in a little charged capacitor, it is stored
in the state of a flip flop that has no state without any power. This is
not a good choice for the whole system. But it would be for a small amount
of memory used to store security critical data.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2008-02-27-2312@ipal.net |
|------------------------------------/-------------------------------------|

Posted by David Schwartz on February 27, 2008, 7:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Feb 27, 9:29 am, phil-news-nos...@ipal.net wrote:

> I'd also recommend wiping the data with random bits instead of zeros.

Why? To protect against possible even more bizarre, even more
hypothetical attacks? This attack is so bizarre, it's barely worth
doing much of anything about.

DS

Similar ThreadsPosted
security software for linux and mac July 4, 2007, 1:43 pm
cp fw-1 ngx: no memory for german umlaute January 15, 2006, 5:15 am
Different tools for the same memory capture January 4, 2009, 12:26 pm
Re: Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability December 15, 2005, 10:03 am
Wipe Outlook Mail Messages January 22, 2006, 12:41 pm
DoD Harddrive Secure Erase Wipe April 2, 2008, 9:37 pm
Software to wipe disk drives on servers and pc January 30, 2008, 4:11 pm
Linux Help September 27, 2006, 7:23 pm
Linux? Which one is the most friendly? May 1, 2005, 3:37 pm
end of linux-nightmares... approachable June 17, 2005, 11:27 am

The site map in XML format XML site map

Contact Us | Privacy Policy