[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Zeroing sensitive memory chunks [Was: Security Flaw in Popular Disk Encryption Technologies]
- To: Eygene Ryabinkin <rea-fbsd_(_at_)_codelabs_(_dot_)_ru>
- Subject: Re: Zeroing sensitive memory chunks [Was: Security Flaw in Popular Disk Encryption Technologies]
- From: Jeremy Chadwick <koitsu_(_at_)_freebsd_(_dot_)_org>
- Date: Sat, 23 Feb 2008 11:53:05 -0800
- Cc: hackers_(_at_)_freebsd_(_dot_)_org, Pieter de Boer <pieter_(_at_)_thedarkside_(_dot_)_nl>, Atom Smasher <atom_(_at_)_smasher_(_dot_)_org>
On Sat, Feb 23, 2008 at 10:32:02PM +0300, Eygene Ryabinkin wrote:
> Sat, Feb 23, 2008 at 10:56:20AM -0800, Jeremy Chadwick wrote:
> > > A possible counter-measure would be to add wiping features to the RAM
> > > modules themselves. When power is lost, the memory could wipe itself. Still
> > > not perfect, but would certainly help.
> > Proper software should be memset() or bzero()'ing memory space it
> > mallocs. I've gotten in the habit of doing this for years, purely as a
> > safety net. If said software doesn't do this, it's very likely
> > succeptable.
> > So the OP's question about ELI/GELI stands -- does it properly zero out
> > memory it allocates before using it?
> Excuse me, but I think that you're confusing two things: zeroing
> or, generally, initializing memory before the first use (it what
> is you're talking about) and sanitizing sensitive data like passwords
> and keys after they were used (it is what OP was talking about).
Yep, you're quite right -- I am/was definitely confusing the two. As
far as the secondary option goes, I suppose that's also up to software
to address, but honestly I have no real idea how one would do that.
Cryptography and overall "data sanitisation" (to ensure security) are
significantly over my head.
Thanks for correcting me, though! Always good to learn something.
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
freebsd-hackers_(_at_)_freebsd_(_dot_)_org mailing list
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe_(_at_)_freebsd_(_dot_)_org"