Hi! I'm working on Tails (https://tails.boum.org/).
Our threat model includes "someone breaks the door and you have 15 seconds to make your current Tails activity disappear". We assume that this "someone" may be prepared to try and recover the memory of this Tails system, e.g. via a cold boot attack. I'm describing at the bottom of this email our current protection against this scenario ("Current Tails implementation" section), in case you're interested in more background; but for now I'll jump directly to the questions I have for you. We're considering dropping our current implementation, and relying on PAX_MEMORY_SANITIZE instead; I know that PAX_MEMORY_SANITIZE was not designed for this use case, but who knows: it might be good enough :) I understand that the result won't achieve perfect protection, but our current implementation doesn't either. I'd like to see numbers, but it's hard for me to compare experimentally both approaches: our QA about this relies on filling memory with a known pattern from userspace, which works fine to measure the efficiency of our current implementation, but of course PAX_MEMORY_SANITIZE will erase this known pattern from memory… So for now I'll stick to the theoretical level, and experimental measurements will come later. If I got it right, with PAX_MEMORY_SANITIZE enabled, then: * during the lifetime of a system, any memory allocated to a userspace program that terminates is erased; * during the lifetime of a system, any kernel memory that's explicitly freed, e.g. with kfree(), is erased; * on system shutdown, all processes are killed, and thus their memory is erased. So, what remains after system shutdown boils down to: * kernel memory allocated and then freed, during the lifetime of the system, through means that are not covered by PAX_MEMORY_SANITIZE: is there any such thing? I'm interested in a (possibly incomplete) list of these memory areas or allocation methods. * kernel memory, that was still in use during shutdown, and that the kernel does not explicitly free: again, is there any such thing? * anything else? I'm not a low-level person myself, so I'm happy to stand corrected, and I'll probably need help from my team-mates (Cc'ed) to analyze your answers :) Current Tails implementation ============================ Our current protection against this scenario is: when I unplug my Tails USB stick, an emergency shutdown procedure is triggered, that kexec's another kernel with some special command line parameter, and then the initramfs erases all the memory that's available from userspace. This ensures that even the memory that was kept in use by the previous kernel (e.g. data in tmpfs) is overwritten at least once: either by the new kernel re-using the same memory, or by the userspace memory wipe process. Of course, some memory will still remain unmodified, e.g. whatever data the kernel may have put aside out of userspace's reach, without overwriting it. E.g. in our tests, a few dozens of MiB are not erased by this process on a machine with 8 GiB of RAM. Implementation details are documented there: https://tails.boum.org/contribute/design/memory_erasure/ Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.