Peter Gutmann (pgut001@cs.auckland.ac.nz)
Wed, 13 May 1998 09:36:54 (NZST)
>>[...]
>>I covered the
>>page locking problem briefly in my 1998 Usenix security symposium paper on
>>secure random number generation, a more reliable way to try to avoid paging is
>>to have a higher-priority background thread which touches the page
>>constantly. However even in this case with NT's apparently nondeterministic
>>paging behaviour it's not really possible to guarantee it won't be swapped.
>Instead of trying to avoid paging, which seems to be impossible across Unix/NT
>platforms, why not restrict it to a known secure area through the use of a
>memory mapped file. i.e. set restrictive permissions on your directory and use
>a mapped file within it to hold all sensitive data. At least then when you
>wipe it you'll know for sure your password's never been in swap.
That's another thing I suggested in the paper, use a DIY swapfile. The problem
with this is that it's not really possible to wipe data once it's been on disk
(for the details on that one, see my '96 Usenix paper), so you've got a choice
between having it swapped to a known area or hopefully having it not swapped at
all (but if it swapped then it'll go to an unknown area). It should be noted
that you can get NT to wipe the swapfile on shutdown, but it's probably a
fairly simplistic overwrite-with-zeroes thing. On most NT boxes, you're
probably better off taking your chances with VirtualLock(), unless the system
is thrashing at the time your data is probably reasonably safe. Under Unix
you're safe (provided you're root) with mlock(), and the Mac has HLock(). In
any case the real problem is the memory being used by the password dialog,
which you have no control over.
What would be really useful is if someone (hint, hint) could write a simple VxD
(for Win95) and kernel mode driver (for NT) which did nothing other than allow
the allocation and freeing of nonpageable memory pages (it wouldn't need to be
anything more complex than "Gimme a page" and "Free this page"). You can find
examples of this in some of the sample code which MS ships with their developer
stuff. Anyone want to write these? Presumably for someone who's done this
sort of thing before it wouldn't be too much work.
Question for the original poster: Under what conditions was the SecurPC
password written to disk? Was the system heavily loaded at the time (so it'd
be swapped)? When you say you found many copies of the password, was it in the
swapfile, or elsewhere on disk?
Peter.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:17:20 ADT