Prosecution based on memory forensics

Nils Faerber nils.faerber at kernelconcepts.de
Thu Jan 13 11:50:20 CET 2011 

Am 13.01.2011 11:39, schrieb Werner Koch:
> On Thu, 13 Jan 2011 05:29, dshaw at jabberwocky.com said:
> 
>> So GnuPG can't do this alone, but there are ways to configure GnuPG alongside other packages and/or the OS to be safe(r) here.  For example, if you can arrange to run some commands as you are hibernating, you could get gpg-agent to dump its passphrase, etc.
> 
> Things would be easier to handle if the OS would send a special signal
> to all processes before hibernating.  However there are all kind of
> timing and priority problems with that.  Thus the only working solution
> is to list all running gpg-agents in /etc/rc.suspend and send them a
> SIGHUP.  Unfortunately SIGHUP also re-reads the config files and that
> may take up additional time and access the hard disk again.  Another
> signal would be better but I fear that there is no other standard signal
> available.  SIGUSR1 is used to dump internal information for debugging
> and SIGUSR2 is used for internal purposes.
> 
> gpg-connect-agent could be used to clear the caches; however that is
> also a heavy command as it requires some IPC which might be subject to
> blocking and timeouts.
> 
> Regarding the cached passphrases: 2.1 keeps all cached data encrypted -
> but as usual the encryption key is stored in RAM as well.  If the
> hardware would provide a small memory area which gets cleared when
> entering hibernation mode, the cached data would automagically be safe.

Well... I am not a security/crypto hacker but a kernel hacker. And from
a kernel hacker's perspective this could be easy to solve!

I could write a very simple driver which provides a mmap()able memory
area which the application can use, protected by the kernel, and which
will be automatically cleared upon suspend.
Would that solve the problem?
How much memory are we talking about here? Bytes? Kbytes? Or Mbytes?

This would of course not be portable, i.e. it would only work in Linux.

> Shalom-Salam,
>    Werner
Cheers
  nils

-- 
kernel concepts GbR        Tel: +49-271-771091-12
Sieghuetter Hauptweg 48
D-57072 Siegen             Mob: +49-176-21024535
http://www.kernelconcepts.de

More information about the Gnupg-users mailing list