使用后显式清除/清零敏感变量是否明智?
我注意到有些程序在使用后明确将敏感内存分配归零。例如,OpenSSL 有一个方法来清除 RSA 密钥占用的内存:
“释放 RSA 结构 rsa。此函数应始终用于释放 RSA 结构,因为它还通过首先清除内存来安全地释放子字段。”
如果任何 (C/C++) 程序包含此类敏感变量,您是否应该如上所述显式将内存归零? (或者,将内存归零是偏执的行为还是只是一种保护措施)?
此外,当程序完成时,任何分配的内存最终都会分配给另一个程序。在 Linux 系统上,内存在分配给另一个程序之前是否已清理或清理?或者,第二个程序可以读取第一个程序的一些旧内存内容吗?
I have noticed some programs explicitly zero sensitive memory allocations after use. For example, OpenSSL has a method to clear the memory occupied by an RSA key:
"Frees the RSA structure rsa. This function should always be used to free the RSA structure as it also frees sub-fields safely by clearing memory first."
Where any (C/C++) program contains sensitive variables like this, should you explicitly zero the memory, as above? (Or, is zero'ing memory an act of paranoia or just a safeguard)?
Also, when a program finishes, any allocated memory is eventually allocated to another program. On a Linux system, is the memory cleaned or sanitised before being allocated to another program? Or, can the second program read some of the old memory contents of the first program?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
是的,在任何受人尊敬的桌面操作系统上,内存从一个进程传递到另一个进程时都会被清理。您观察到的清理步骤是为了防止其他攻击、在同一地址空间中执行代码或获取允许从目标进程的内存空间读取内存的权限。
当您不再需要这些敏感数据时,立即删除它是一个非常明智的保护措施。
Yes, on any respectable desktop OS, memory is sanitised when passed from a process to another. The cleaning step that you have observed is to protect from other attacks, from code executing in the same address space or obtaining privileges allowing it to read memory from the target process's memory space.
It's a very sensible safeguard to erase this sensitive data as soon as you don't need it any more.
当 GPG 和 OpenSSL 等具有敏感加密数据的程序/库显式地将内存归零时,这与担心内存将被“重新分配”给其他可以读取数据的程序无关。由于多进程/多用户操作系统的工作方式,这从根本上是不可能的。
将数据归零的原因有两个:
如果代码是库,您希望防止调用程序不小心泄漏信息。即使包含敏感信息的内存不能重新分配给另一个进程,只要它仍然运行相同的程序映像(即只要它没有不称为
exec*)。有错误的程序可能会调用malloc,然后将缓冲区写入磁盘,而不首先填充整个分配的对象,在这种情况下,旧的潜在敏感信息可能会泄漏到磁盘。此类问题存在于 Microsoft Office 等主要现实产品中(尽管它们现在可能已得到修复)。即使代码不是库而是独立程序,您也可能希望在出于偏执目的释放内存之前将其归零。如果联邦调查局破门而入并拿走你的计算机,他们随后可以检查交换分区上发生的任何事情。如果他们小心地移除它,他们甚至可以检查内存中的内容。如果您对物理攻击很偏执,那么您需要确保密码等在使用后不存在于 RAM 或磁盘中的任何位置。许多加密程序甚至希望拥有 root 访问权限,以便它们可以
mlockall其内存以防止任何内容被交换到磁盘(尽管在我看来这是愚蠢的 - 由于以下错误而导致 root 泄露的严重风险) 即使代码如果您不担心物理攻击,或者如果您充分了解现实,认识到物理攻击者可能有比交换分区取证更好的方法来获取您的密码,那么原因#2 可能主要是伪造的,但大多数软件都会解决这个问题不管怎样,只是为了让疯子开心。 :-)
When programs/libraries like GPG and OpenSSL with sensitive cryptographic data explicitly zero memory, it has nothing to do with a fear that the memory will be "reassigned" to other programs which could read the data. This is fundamentally impossible due to the way multiprocess/multiuser operating systems work.
The reasons for zeroing data are twofold:
If the code is a library, you want to protect against careless information leakage by the calling program. Even though the memory that contained sensitive information cannot be reassigned to another process, freed memory can and will be reused in the same process as long as it's still running the same program image (i.e. as long as it hasn't called
exec*). A buggy program might callmallocthen write the buffer to disk without first filling the whole allocated object, in which case, old potentially-sensitive information could be leaked to disk. Issues of this kind exist in major real-world products like Microsoft Office (though they may have been fixed by now).Even if the code is not a library but a stand-alone program, you may want to zero sensitive data in memory before freeing it for paranoia purposes. If the feds bust down your door and haul away your computer, they can subsequently examine whatever happened to be on the swap partitions. If they're careful in removing it they might even be able to examine ram contents. If you're paranoid about physical attacks, you want to ensure that passphrases, etc. do not exist anywhere in ram or on disk after they're used. Many cryptographic programs even want to have root access so they can
mlockalltheir memory to prevent anything from getting swapped to disk (though in my view this is stupid - trading a serious risk of root compromise due to bugs in the software for paranoia about physical attack).If you are not worried about physical attacks, or if you're sufficiently in touch with reality to realize that physical attackers probably have better ways of getting your passphrase than swap partition forensics, then reason #2 is probably mostly bogus, but most software addresses it anyway just to keep the nutcases happy. :-)
从安全角度来看,您的内存可能包含您不希望保留的数据。如果进程崩溃,核心文件将具有内存的完整转储。可以深入研究这些核心文件并挖掘数据。对于支持电话,如果您必须发送该核心文件,那么如果在使用后对内存进行清理,您会感觉更安全。当我在 VMS 上工作时,一些敏感的客户甚至不会向我们提供转储文件(这使得调试变得极其困难)。
From a security standpoint, your memory might contain data that you would not like to linger around. If the process crashes and the core file will have the complete dump of the memory. It is possible to dig into those core files and mine data. For a support call, if you have to send that core file, you would feel safer if the memory is sanitized after use. When I worked on VMS, some sensitive customers would refrain from even giving us the dump files (making this extremely difficult to debug).
这取决于,详细信息可以在
mmap手册页中找到:在将内存返回到操作系统之前将其清零充其量是不确定的,如果您的进程在有机会这样做之前被信号杀死,会发生什么?配置内核来为您执行清理工作。
It depends, the details are found in the
mmapman page:Zeroing the memory before returning it to the OS is iffy at best, what happens if your process was killed by a signal before it had a chance to do so? Configure the kernel to perform the sanitization for you.