Use |mprotect()| to secure key data ? / was: Re: Proposal: always handle keys in separate process

Cedric Blancher cedric.blancher at gmail.com
Wed Feb 10 11:12:22 AEDT 2016


On 20 January 2016 at 03:10, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On Tue 2016-01-19 19:53:41 -0500, Roland Mainz wrote:
>> What about the idea of storing "valuable" data in unlinked temp files
>> and |mmap()| then only on demand ? That would keep them out of the
>> claws of *other* users (obviously same user can use /proc/$pid/fd/$fd
>> to |open()| such files, but then the same user could just attach
>> gdb/dbx and dissect the ssh/sshd/ssh_secure_storage processes and even
>> inject random code) ...
>
> depending on the filesystem used, this could mean writing this sensitive
> data to the underlying storage medium, which sounds like a worse failure
> than anything this proposal would fix.
>
>      --dkg

Why? Kernel paging/swaping would do the same, and you can force that
paging/swaping to a file in a trusted env and still get user data you
are not supposed to obtain. That's even an old trick tiger teams used
5 years ago to demonstrate that using Linux for sensitive data storage
at CEA Saclay isn't wise.

Ced
-- 
Cedric Blancher <cedric.blancher at gmail.com>
Institute Pasteur


More information about the openssh-unix-dev mailing list