cleartext SSH, Truecrypt, etc passwords in memory
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Jul 27 14:59:57 EDT 2008
Sherri Davidoff <alien at MIT.EDU> writes:
> For this paper, I specifically examined the case where memory was dumped
> while the applications were still active. The snapshots were taken up to
> 45 minutes after the passwords were entered. (See Appendix A for the
> full testing procedure.) Given that users keep applications such as
> SSH, Truecrypt, email, etc open for a significant percentage of time
> that they use their systems, I do think it's important for applications
> to zero sensitive data immediately after it is used rather than waiting
> until the process is closed.
I think it'd be good to distinguish between cases where keeping
cryptovariables around is a bug and where it's by design. For example SSL
caches the shared secret information for later use in session resumption
so finding a copy of that in memory while an SSL client or server is
running isn't a bug. Finding it after it's exited is. Even then though,
some apps include daemons that cache credentials and whatnot for ongoing
use by the app (e.g. the assorted 'xyz-agent' helpers for things like
various SSH clients or GPG) so finding the information in memory when the
app has exited but the cacheing daemon hasn't isn't necessarily a bug.
> As a next step, it would be great to follow the same procedure, but
> image all of memory after the applications have been closed.
That'd be the interesting one, because keys left lying around in memory
afterwards is definitely a sign of a problem (but be careful about the
cacheing issue mentioned above).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list