[erlang-questions] Process state and sensitive information
Jesper Louis Andersen
jesper.louis.andersen@REDACTED
Mon Sep 8 15:11:13 CEST 2014
On Tue, Sep 2, 2014 at 1:51 PM, Jesper Louis Andersen <
jesper.louis.andersen@REDACTED> wrote:
> Consider if you want to protect against data which is hot in memory. If
> you decrypt, how do you make sure the data you decrypted is overwritten
> straight away, once you don't need them anymore? This approach is so much
> against the Erlang philosophy so it might require a NIF to pull off.
>
So, Colin Percival has been up to this for a while. The goal is to protect
against an enemy grabbing hold of the memory area later. For example
through a heartbleed-like attack.
He starts out with some C code:
http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
the problem is to make sure an aggressive optimization doesn't remove the
memory zero of the buffer. He thinks he has a clever construction by
threading the memset call through an unoptimizable pointer, but alas:
http://www.daemonology.net/blog/2014-09-05-erratum.html
No, this doesn't work :)
And then he correctly identifies the real problem:
http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html
which is that sensitive information can be in many locations and memory and
you have no way of knowing where: stacks, registers, ... you name it.
The consequence is that it is hard to guarantee a given piece of memory is
overwritten and never used again. There is no good way of doing this right
now, and it is a problem in computing in general.
--
J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140908/04bc1a44/attachment.htm>
More information about the erlang-questions
mailing list