Re: [patch 0/5] Support for sanitization flag in low-level pageallocator

From: Alan Cox
Date: Fri May 22 2009 - 09:37:02 EST

Next message: Oliver Neukum: "Re: How to tell whether a struct file is held by a process?"
Previous message: Jonathan Cameron: "Re: [RFC] Add Input IOCTL for accelerometer devices"
In reply to: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Next in thread: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Definitely, but there's no need for this at all. If you want to target
> certain sensitive data, just grep the variable names in the
> world-readable System.map of your distribution of choice.

A lot of dynamic data will not be findable by System.map but its
certainly findable if you've got a "look mummy this one is stamped
confidential" flag then it becomes easy to find.

> > Obvious candidates would be AGPGart, DRI buffers, DMA lowmem buffering,
> > pad buffers - I dont think they clear all cases and in some cases
> > (notably DRI) there is data that is potentially "secret" stored in the
> > video RAM.
>
> Overkill. Again, you really don't need to scan memory for anything. Much
> less video memory. If you already have CAP_SYS_RAWIO, you have more
> reliable and easier techniques to intercept information.

If you are working to clear memory then your model is totally flawed
because a lot of memory you might want to handle this way is never
deallocated.

> > You can also extract bits of data post clear out of fascinating corners
> > like the debug interfaces to FIFOs on I/O controllers. There are also a
> > large category of buffers that don't get freed/reallocated notably ring
> > buffers for networking, and tty ring buffers which are mostly not freed
> > for the lifetime of the device (ie forever). Cleaning all RAM as an
> > option on S2D and shutdown would be the only real way you'd fix that.
>
> One of the patches takes care of tty buffer management to adopt the new
> flag. The only real way to solve the lengthy list of security risks
> coming along suspend-to-disk approaches is to simply disable
> suspend-to-disk altogether.

Which is a rather peculiar viewpoint you hold that I would disagree with
entirely.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oliver Neukum: "Re: How to tell whether a struct file is held by a process?"
Previous message: Jonathan Cameron: "Re: [RFC] Add Input IOCTL for accelerometer devices"
In reply to: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Next in thread: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]