Re: Use |mprotect()| to secure key data ? / was: Re: Proposal: always handle keys in separate process

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 20 January 2016 at 03:10, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote:
> On Tue 2016-01-19 19:53:41 -0500, Roland Mainz wrote:
>> What about the idea of storing "valuable" data in unlinked temp files
>> and |mmap()| then only on demand ? That would keep them out of the
>> claws of *other* users (obviously same user can use /proc/$pid/fd/$fd
>> to |open()| such files, but then the same user could just attach
>> gdb/dbx and dissect the ssh/sshd/ssh_secure_storage processes and even
>> inject random code) ...
>
> depending on the filesystem used, this could mean writing this sensitive
> data to the underlying storage medium, which sounds like a worse failure
> than anything this proposal would fix.
>
>      --dkg

Why? Kernel paging/swaping would do the same, and you can force that
paging/swaping to a file in a trusted env and still get user data you
are not supposed to obtain. That's even an old trick tiger teams used
5 years ago to demonstrate that using Linux for sensitive data storage
at CEA Saclay isn't wise.

Ced
-- 
Cedric Blancher <cedric.blancher@xxxxxxxxx>
Institute Pasteur
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux