[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encrypting swap

To: kernel-audit@nl.linux.org
Subject: Re: encrypting swap
From: Lars Gaarden <larsg@trustix.com>
Date: Fri, 18 Aug 2000 14:02:01 +0200
Organization: Trustix AS
References: <4BA83203985FD411A34A00508B69D83107F0F4@frmail3.fr.bosch.de>
Sender: owner-kernel-audit@nl.linux.org

"Strohm Thomas (FV/SLD) *" wrote:
> 
> Alexander Schreiber wrote:

> > > 2) You go to a suspend state. Then you also should erase the swap
> > > partition, but now before going to suspend. This may be
> > > more complicated than in the first case.
> >
> > This ranges from easy (no swap used) to difficult (swap used)
> > to impossible (used address space > RAM, swap _needed_ for operation of
> > system) - at least if you don't want to seriously disrupt operation
> > (by forcibly disabling swap, thereby creating an OOM-situation which
> > will kill processes).
> 
> Ok, you're right. I oversaw this.
> Then think of the following scenario which works in the cases
> (1) You modify the hibernation code in the BIOS.

I don't know how far the OpenBIOS (or was it LinBIOS?) project
has come, but I'd expect that it would be hard to get modified
BIOSes for a sufficient amount of motherboards out there.

> (2) You use a suspend mechanism in the kernel, like swsusp.
> 
> - You do no swap encryption in the normal operation mode of the laptop
> - Now you want to suspend the machine
> - Stop all processes, swap them out. Now only one kernel 'thread' still
>   runs

This will write all keys and passwords currently contained in
application memory to unencrypted swap.

> - This thread copies the contents of the swap partition to a dedicated
>   hibernation partition while encrypting it. And also zeros the swap...

As already mentioned in this thread, just zeroing a part of the disk
does not mean that it is impossible to get back the overwritten data
(www.ibas.no). You'd have to overwrite the swap with random noise
several times to make sure that it is infeasible to get the data back.

> Disadvantages:
> - May take some time when copying and encrypting the swap partition.
> - Does not work if you run out of batteries (as you pointed out!)

- Leaves the swap unencrypted if an attacker is able to crash the
machine.
- Leaves entire userland memory in unencrypted swap if attacker is
able to hang or crash the machine during the hibernation process.

> > I hate to break it to you - but high performance and high security
> > tend to come in different packages.
> 
> [Thanks for pointing that out :-)]
> 
> Sure. But you don't have to accept the first policy that comes into
> your mind and attributing its shortcomings to "high performance vs.
> high security".

Also, functionality and security also tend to come in different
packages. 

-- 
LarsG. These are my opinions, which may or may not be shared by my
employer.
Code that cracks a protection device is criminal under the DMCA even if
the
use of the copyrighted material that the code enables would be fair use.
- Lawrence Lessig, Berkman Professor of Law, Harward Law School.

Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/

References:
- RE: encrypting swap
  - From: "Strohm Thomas (FV/SLD) *" <Thomas.Strohm@de.bosch.com>

Prev by Date: RE: encrypting swap
Next by Date: RE: encrypting swap
Prev by thread: RE: encrypting swap
Next by thread: RE: encrypting swap
Index(es):
- Date
- Thread