Sign in to follow this  

Secure memory and swapping

This topic is 3197 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

AFAIK there is no portable way to prevent memory from being paged. My attention is mostly on *NIX, the mlock function does not prevent memory from being paged, but since my application is on a dedicated web server it occured to me that it is acceptable to simply have no swap space. I am now thinking that my program could read /proc/swaps and verify that nothing is listed, but to be really secure I need to 1) be sure that an empty /proc/swaps genuinely implies that no memory will be paged, and 2) receive asynchronous alerts from the kernel if any swap space is enabled. Can anyone comment on these? Thanks

Share this post


Link to post
Share on other sites
So your goal is that your webserver, if turned off suddenly, will have secure flagged content decrypted in the swap partition?

Note that standard computer RAM can be read after the computer powers down (!). All paranoia must be limited by practicality.

Share this post


Link to post
Share on other sites
Quote:
Original post by spraff

but to be really secure I need to


To be really secure, you need a dedicated administration team, which will be managing a secure server. This server will then have, in the QA manuals, a bullet-point: #17: disable swap partition (see appendix 14)

Technical solutions have no real value as such.


Alternatively - netboot entire OS onto a ram drive.

But don't waste time on technical complications that add nothing to security. Security is a process. Before the entire system is managed in secure environment with proper procedures in place, there is no security.

Share this post


Link to post
Share on other sites
You're both right about the process and so on, and yes there is a capable administrator. However I want a technical part which captures human error. The process might be sound but it might not be followed. Since it's (I expect) not a huge technical effort to monitor the state of the swap setup it seems a reasonable extra step.

Share this post


Link to post
Share on other sites
Quote:
Original post by spraff
The process might be sound but it might not be followed. Since it's (I expect) not a huge technical effort to monitor the state of the swap setup it seems a reasonable extra step.


Here's the problem. If the operations team is incapable of following a setup procedure, who is to say they will also remember to set a root password, or not simply mail passwords to public mailing lists, or perhaps just post them on their blog. If they cannot follow the simple setup procedure, you're screwed years before it comes down to someone recovering some data from swap file. Who will enforce file policies to prevent .htaccess script kiddie attack? What about social engineering attacks - if they are told never *ever* to reveal passwords, will they always follow that, even if "John" from "accounting" calls and asks for it? And where are session IDs stored? Default location on disk?

Adding complexity is huge security concern. As soon as you add more code paths to your code, the testing and QA becomes more complex.

One way is to add a check to deployment script (there hopefully is one), that parses the swapon output, or whatever checks swap configuration on your system.

Security of this type is simply not a problem server developer can solve. It simply is not, no matter how many hoops and loops you jump through. And swap files are administration and deployment problem.

1) Run on OS with swap file disabled
2) Encrypt swap file
3) Run entire OS from RAM disk
4) Simply rely on procedural safeguards

Option 3) is perhaps most favorable technical solution, since it takes care of unknowns as well. If, on such system, remote and local logins are disabled and system is fully autonomous, then any and all transient and persistent data is destroyed when power is lost. That is about as good as it gets - for a technical solution.

Share this post


Link to post
Share on other sites
Quote:
Original post by spraff
You're both right about the process and so on, and yes there is a capable administrator. However I want a technical part which captures human error. The process might be sound but it might not be followed. Since it's (I expect) not a huge technical effort to monitor the state of the swap setup it seems a reasonable extra step.
The scenario where something is more important to the developer than the customer is often not a good one.

Share this post


Link to post
Share on other sites

This topic is 3197 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this