SecMalloc: c-lib to prevent malloc’ed memory from swapping.
An acquaintance of mine has released a new C library called secmalloc to quote:
Most modern systems have some notion of swap, where the contents of memory can be written to disk, freeing up the memory for other purposes. This allows the system a lot of flexibility in managing its memory. Infrequently used data is a prime candidate for swapping to disk, thus freeing up the real memory for more useful purposes. This can be a problem when using cryptography as there is a danger of keys or other sensitive data ending up in swap where (eventually) it may fall into the wrong hands. Secmalloc provides a secure version of the common 'malloc' interface for managing memory. All memory allocated by secmalloc is locked, so that it cannot be swapped out.
Him and I have been conspiring about a way of being able to leverage this in cPython, there's been talk of swig and other things - I pinged Brett last night to get his thoughts (based on his other security work). Take a look at it - it's fairly specialized, but if you've been looking for something more surgical than calling:
[root@lolz~]# /sbin/swapoff
For preventing protected things from swapping off, then this is for you.
August 31st, 2007 at 11:25 am
Or you could encrypt the swap partition…
August 31st, 2007 at 12:08 pm
Encrypting the swap partition is less than desirable given the requirements of doing so - you need to be root, modify and reboot the system. This is for one off mallocs for the runtime of a program/application.
September 1st, 2007 at 12:26 pm
I think the string types need a specialized allocator anyway, so creating some way to secure that would be an obvious next move. The question is how an interface from python would look. A string is immutable and anywhere they are created would have to say “make this secure” because you can’t make it secure after its created. It posses some problems, that maybe could only be solved with a string control character, as we use u and r today.