[Cryptography] Secure erasure

Ralf Senderek crypto at senderek.ie
Mon Sep 12 01:22:43 EDT 2016 

On Sun, 11 Sep 2016, Ray Dillinger wrote:

> On 09/11/2016 03:00 AM, Ralf Senderek wrote:
>> Agreed.

> Agreed?!  What the hell was Heartbleed, if not an attack
> on memory that ought to've been secure-erased?  No.  NOT
> agreed!  These are attacks we're dealing with in the field
> right now, and we need ways to defend against them!
>
> Sure, it got accessed through a buffer hack that invoked
> undefined behavior and ought to've also been defended against.
>
> But defense in depth means that not only should the buffer
> hack not work, but also that even if the buffer hack does
> work there should be nothing for it to take.
>
> 			Bear

Ray, I usually love your postings, but not this one, as you're
quoting totally out of context.

I agreed to Jerry's assumption that on ordinary (general-purpose)
OSes there are (and will be in the future) so many easy attacks
that it would be impossible to turn them (all) into a secure
system.

I agreed to voice my opposition to the conclusion, that because
of this no-one is interested in (or will pay) for advanced
security measures, those you have in mind.

I did this to promote the idea of *separation* as a way forward
to achieve a (combined system: insecure user OS - more secure PSS)
level of security that cannot be achieved without a separate
device. This was the context.

If I remember correctly, heartbleed was such a critical thing
because of (at least) two facts:

a) Secrets, that are deliberately stored in memory like web server
    private RSA keys could easly have been exfiltrated, nobody
    knew if and when

and

b) the attack was possible for anyone sending a crafted packet to
    the server.

The way I propose the personal security server (PSS), b) would not be
an issue, because in order to send anything to the server you'd
need at least two different secrets. So separation would work
here.

Long term secrets in memory are something that (IMHO) should not
be allowed on the devices I and Jerry had in mind, that's why
I introduced the daemon process that can access such secrets
only during a tiny time frame and sends it directly to the PSS
if it also has access to the secure tunnel secrets that are
stored encrypted in the file system.

But when it has to "secure erase" this secret in memory trouble
starts, because as many on this list have pointed out, your
secret might have gone anywhere and your code cannot control
(or prevent) this proliferation. But the separation would work
here too, because the database, holding message encryption keys
is stored on the PSS not on the user's device.

Isn't it strange that nobody addresses the idea of separation 
but argues to secure the one machine that is used for everything?
It might not be possible to secure the user's device but securing
the PSS can be less impossible.

So please folks, context, context and again context.

      --ralf

More information about the cryptography mailing list