cleartext SSH, Truecrypt, etc passwords in memory
Sherri Davidoff
alien at MIT.EDU
Sat Jul 26 19:40:23 EDT 2008
Peter Gutmann wrote:
> So was this a case of "recover data from an active app's memory image"
> (not surprising) or "recover data after the app has exited"
> (surprising, at least for the crypto apps)?
For this paper, I specifically examined the case where memory was dumped
while the applications were still active. The snapshots were taken up to
45 minutes after the passwords were entered. (See Appendix A for the
full testing procedure.) Given that users keep applications such as
SSH, Truecrypt, email, etc open for a significant percentage of time
that they use their systems, I do think it's important for applications
to zero sensitive data immediately after it is used rather than waiting
until the process is closed. Also, as you point out, there were
passwords such as SSH and root which were retained outside of the
application's memory.
I also did some preliminary experiments to test whether passwords
remained in memory after the applications were closed. However, I
decided to wait until the Princeton/EFF/Wind River folks released their
memory dumper code before analyzing this in detail. As described in the
paper, there are now annoying limitations on access to /dev/mem in
Linux, so I thought it would be best to approach this particular
question by getting a full memory image using cold boot techniques.
As a next step, it would be great to follow the same procedure, but
image all of memory after the applications have been closed. Using Jake
Appelbaum and co's newly released memory imaging tools would probably be
an easy way to get full memory dumps from any OS:
http://citp.princeton.edu/memory/code/
Based on your feedback, I've updated section 2 and the abstract to clarify:
http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf
Thanks for your comments,
Sherri
--
http://philosecurity.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list