-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secrecy: consider adding mlock feature for SecretVec and SecretString #480
Comments
Potentially, however there are alternatives to consider, and the threat model that benefits from Another alternative to consider is encrypting secrets in-place when they're not in use, decrypting them for access, then re-encrypting them when they're no longer borrowed. This approach likewise has some questionable parts, like "where do you store the key-encrypting-key (KEK)?" and under what threat model having encrypted secrets helps where an attacker can't access the KEK (which is mostly accidental exposure through exploitation of memory unsafety vulnerabilities). It might be interesting to parameterize |
Related to that, sequoia-openpgp uses encrypted memory for storing secret keys link:
|
@tony-iqlusion @ordian |
I think an approach like that which keeps secrets encrypted in memory and decrypts them on-the-fly in order to access them (re-encrypting them when done) is an interesting one, yes |
Interesting excerpt here:
TBH I actually think this is a reasonable scenario to care about - crash information, etc, is often moved to other systems that may not be as hardened, and the attacker could not have just ptrace'd the process etc. Here it led to a major breach. I also wonder, if not mlock, memfd_secret[0] could be a really interesting option. This addresses some aspects of the weaknesses with mlock given a threat model where the attacker position is on the same system as the process holding onto a secret. FWIW I think ptrace restrictions are increasingly common, as are basic proc acls, but ultimately the "we shipped secrets from a crash dump" issue is probably the more compelling case. [0] https://www.man7.org/linux/man-pages//man2/memfd_secret.2.html |
@insanitybit I can't speak to Windows specifically, but on Linux for cases where you want to prevent secrets from being swapped or included in crash dumps it would be better to use Also, we're well aware of I still think it might be interesting to include pluggable/configurable secret storage mechanisms using e.g. a generic parameter with a default strategy of zeroization, but I don't think it makes sense to make the default strategy one which swaddles secrets in a blanket of large amounts of unsafe code. |
Wouldn't mlockall prevent crashdumps entirely, though? I assume crashdumps are still something that people want, they just want them to not include secret information. AFAIK memfd_secret isn't for protecting a whole process, but I could be wrong there. I like the pluggable idea. I wonder if an Allocator-like trait would work well. |
Any update on this? |
If there were updates, they would be in this issue |
Sadly it seems
One thing I've been experimenting with is storing the KEK in an ephemeral TPM space (https://github.com/wiktor-k/tpm-box). This way not only it's not part of the memory space but additionally rebooting the computer erases it irreversibly. Of course it's not a silver-bullet (an attacker with online access to the process memory may retrieve a KEK handle and use it to decrypt data) and it's rather heavy-weight but it may be a good fit in some scenarios. |
There is a rust crate https://github.com/darfink/region-rs that acts as a safe cross-platform wrapper for
mlock
.Would you accept a PR to add optional
mlock
support forSecretVec
andSecretString
?The text was updated successfully, but these errors were encountered: