Use of custom memory allocators

Werner Koch wk at gnupg.org
Fri Dec 5 11:07:12 CET 2008 

On Fri,  5 Dec 2008 08:50, nmav at gnutls.org said:

> Also if you disagree with my evaluation that common applications do not
> require a secure memory, the same argument applies. A reasonable default
> with secure memory initialized should be available.

There are good defaults available.  With recent Linux versions there is
no more need to setuid the application to again access to mlock.  Thus
you get mlock-able memory for free.  Just make sure to initialize
Libgcrypt properly!  Proper initialization is required anyway.

> zeroed before being given to an application. Thus the threat-model for
> having a special memory marked as "secure" is not quite clear for me and
> this is the reason it was always by default off in gnutls.

The threat model is that keys war swapped to disk.  You may mitigate
that by using an encrypted swap space - but how many installations do
that?  Even OpenBSD does not use encrypted swap by default.  Thus
mlock-ed memory is the best solution we have.

You don't think that is an issue for servers?  I tend to agree for SSL
keys, however a lot of security policies require zeroization of keys as
early as possible.

Also, the majority of applications using GNuTLS are client applications
and there you really want to safe your keys: User Certificates and keys
used by the application not related to gnutls.  For example gnupg uses
gnutls and has a need to keep its keys safe (granted, gnupg uses an
external process to access ldaps and https but other apps might not want
to go into that trouble).

> The additional security offered by it might not worth the inconvenience
> offered by it -limited secure memory that will cause the application to
> fail in cases where it was exceeded.

You see a problem in the limited amount of secure memory when used with
servers?  That is a different problem we can solve.  However you need to
initialize Libgcrypt properly: In the server case with disabled secure
memory and let the server application do the libgcrypt initialization
and not gnutls.  As it stands now, gnutls just overrides good defaults.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gcrypt-devel mailing list