Hi!
I'm working on Tails (
https://tails.boum.org/).
Our threat model includes "someone breaks the door and you have 15
seconds to make your current Tails activity disappear". We assume that
this "someone" may be prepared to try and recover the memory of this
Tails system, e.g. via a cold boot attack.
I'm describing at the bottom of this email our current protection
against this scenario ("Current Tails implementation" section), in
case you're interested in more background; but for now I'll jump
directly to the questions I have for you.
We're considering dropping our current implementation, and relying on
PAX_MEMORY_SANITIZE instead; I know that PAX_MEMORY_SANITIZE was not
designed for this use case, but who knows: it might be good enough :)
I understand that the result won't achieve perfect protection, but our
current implementation doesn't either. I'd like to see numbers, but
it's hard for me to compare experimentally both approaches: our QA
about this relies on filling memory with a known pattern from
userspace, which works fine to measure the efficiency of our current
implementation, but of course PAX_MEMORY_SANITIZE will erase this
known pattern from memory… So for now I'll stick to the theoretical
level, and experimental measurements will come later.
If I got it right, with PAX_MEMORY_SANITIZE enabled, then:
* during the lifetime of a system, any memory allocated to
a userspace program that terminates is erased;
* during the lifetime of a system, any kernel memory that's
explicitly freed, e.g. with kfree(), is erased;
* on system shutdown, all processes are killed, and thus their memory
is erased.
So, what remains after system shutdown boils down to:
* kernel memory allocated and then freed, during the lifetime of the
system, through means that are not covered by PAX_MEMORY_SANITIZE:
is there any such thing? I'm interested in a (possibly incomplete)
list of these memory areas or allocation methods.
* kernel memory, that was still in use during shutdown, and that the
kernel does not explicitly free: again, is there any such thing?
* anything else?
I'm not a low-level person myself, so I'm happy to stand corrected,
and I'll probably need help from my team-mates (Cc'ed) to analyze your
answers :)
Current Tails implementation
============================
Our current protection against this scenario is: when I unplug my
Tails USB stick, an emergency shutdown procedure is triggered, that
kexec's another kernel with some special command line parameter, and
then the initramfs erases all the memory that's available from
userspace. This ensures that even the memory that was kept in use by
the previous kernel (e.g. data in tmpfs) is overwritten at least once:
either by the new kernel re-using the same memory, or by the userspace
memory wipe process. Of course, some memory will still remain
unmodified, e.g. whatever data the kernel may have put aside out of
userspace's reach, without overwriting it. E.g. in our tests, a few
dozens of MiB are not erased by this process on a machine with 8 GiB
of RAM. Implementation details are documented there:
https://tails.boum.org/contribute/design/memory_erasure/
Cheers,
--
intrigeri