cleartext SSH, Truecrypt, etc passwords in memory

[Peter Gutmann]

Sherri Davidoff <alien at MIT.EDU> writes:

> Hello all. During the past few months, I've been poking around Linux
> memory and consistently finding cleartext login, SSH, email, IM,
> Truecrypt and root passwords. I've just finished a paper which includes
> detailed location and context information for each password. Given the
> recent buzz about cold boot memory dumping, it seems the risk associated
> with cleartext passwords in memory has increased.

What the abstract doesn't make at all clear is that the process used
seems to have been (from section 2 of the paper):

Start application;
Enter password;
Take snapshot of running application's memory;

(although some passwords were apparently found in non-application-specific
memory, see section 3.7 of the paper).

In other words what's apparently being demonstrated for most of the apps
isn't an ability to recover keys still hanging around in memory at some
arbitrary later point but to recover keys from the active process memory
image.  The reason why I keep using "apparently" is that paragraphs 2 and
3 of section 2 don't make at all clear whether the application is still
active or not, although "after all programs had been launched process
memory was captured live" seems to imply it was a snapshot of a running
process.  Since many crypto applications zeroise keys after they've
been used, it seems a bit surprising that it'd be possibly to recover key
data after the app has exited, as the paper implies.

So was this a case of "recover data from an active app's memory image"
(not surprising) or "recover data after the app has exited" (surprising,
at least for the crypto apps)?

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com