Coder Social home page Coder Social logo

Comments (2)

BobWall23 avatar BobWall23 commented on June 14, 2024 1

These methods use the Linux kernel functions mlock/munlock and mprotect to safeguard key storage memory from within the process. However, this doesn't protect against RowHammer-type attacks. A recent patch to OpenSSL adds protection for this - they generate 16kbytes of random data on process startup, derive a symmetric key from that (probably just a sha256 hash), and use that key to encrypt the secret before it is stored in memory. The key is re-derived each time the secret is needed.

The error rate of RowHammer is sufficiently high that recovering the full 16kbytes of random data (referred to as a pre-key) is very unlikely.

from recrypt-rs.

zmre avatar zmre commented on June 14, 2024

@BobWall23 I recommend we spin out a separate issue for rowhammer protection. I dug into this today and here are some conclusions:

  • If you want to prevent anyone from accessing memory except in specific contexts, then you can use mprotect. For our use cases, this doesn't make sense as we do need the private key to be passed to various functions.
  • mlock/munlock will pin blocks of memory so they don't go to swap, which we want for our purposes.
  • madvise is used in specific operating systems to prevent the protected memory for showing up in core dumps.

I reviewed the options that Clint referenced and read the thread and then poked around man pages. Basically I think secstr is the best starting point. memsec shows how to make this work in windows though. I'm going to mix these together and make them work on arbitrary structs. These libraries have a bunch of other functionality and we only really need a few lines out of them, slightly adapted, so I don't think it makes sense to pull in the dependencies. We have existing solutions for zeroing memory and constant time equality checks, for example.

The hardest thing with this is confirming that it's working as expected. That is, how can we prove that the private keys aren't being written to swap or pushed to disk in a core dump? None of the referenced libraries have tests for this. I think we have to take it on faith. I'm open to suggestions though.

from recrypt-rs.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.