Warning messages.

Rich Derr rhd-gpg@webdesigngroup.com
Sat, 26 Jun 1999 09:48:39 -0500 

#define PARANOID

On Sat, Jun 26, 1999 at 12:21:44AM +0200, Michael Roth wrote:


> When you think about you will note that everone who is able to get access

> with privileges to read out the paging area of the disk is also able to

> manipulate the system in all possible ways including substituting the gpg

> binary with a manipulated one.


   Think outside the box.  An attacker can walk into your server
room and walk out with your box without breaking root.  I can
encrypt my filesystems so that I need to enter a key from the
console to boot.  I can't encrypt my swap.

   (I wonder if there's a Linux or BSD patch to do that?  You
"just" need to figure out how to find some entropy at system boot-
time, then keep your key in the kernel's data space.  The swap
contents are worthless anyway if you lose the running system, so
the key need never go near permanent storage.)

   One effect of mlock() is to protect, in software, against a
physical deficiency in security.  I don't think there's an
instrument that can read SDRAM chips through the ceramic
housing, or at least not a portable unit, so RAM is one of damn
few things we can consider tamper-proof.


> In my view (and many others) their is absolutly no security improvement by

> protecting memory pages from writing them to disk. As noted by someone

> else you can switch off the warning message with --no-secmem-warning.


   Let's say you use gpg today and I mount a big DoS attack on your
system that gets the critical page swapped out for just a second.
You get the correct results, but even so you notice the attack and
never fully trust the system again.  But it's a system you can't
take down for whatever reason.  Next month I get a hold of a root
exploit for your system just before you patch it.  I sneak in,
take a snapshot of your swap space (and of course your files),
cover my tracks and get out, never to be seen again.

   Yes, in (#ifdef PARANOID\n#define theory fact\n#endif) theory
any root compromise forever taints a system.  The problem with not
locking in the private key is that it can be compromised after gpg
terminates so that a root compromise can go back in time.

   I personally just turn off the warning for my everyday use, but
not when it's protecting something worth enough that there are
parties who *will* attempt to steal it.  So I counter the view of
"absolutely" no improvement.  I'm happy with the current state of
affairs, although I wish my preferred OS allowed non-root mlock()
with an rlimit on it (which could default to 0).

#ifndef PARANOID
   I'm just nitpicking.
#else
   The warning is there for a reason.
#endif

   Off-topic (but with obvious relevance):  Linux 2.0 is widely
reported as unstable without any swap space.  Is it stable with a
1M ramdisk as the only swap?

-- 
Rich Derr, sysadmin                   Have ssh, Will Telecommute
Web Design Group   www.webdesigngroup.com   TEL: +1 312 951 6688