summary Re: encrypted swap

summary Re: encrypted swap

[Ted Unangst]

basically, there are a few scenarios that have come up.

1. notebook is stolen.  presumably, if you have sensitive data, you would
know not to suspend and only power down completely after use.  so the
notebook can be stolen while the power is on, or while the power is off.
if the power is off, all is good, the data is safe.  if the power is on, i
don't think this was a random street thug who snatched your notebook.
(what were you doing working on sensitive data in a dark alley?)
presumably, you were there with it.  in that case, it was probably a
"directed" hit by someone after the data, and not just the notebook.
there's a good chance that *you* will also be taken if they want the data
that bad.  really, who leaves their notebook on and unattended?  esp. if
it contains super sensitive data.  and whether you know the swap passwork
or not, you will know the password for your email, and you're in for a
long night with some truth serum and a meat hook.  ;)

2. a server, or maybe a workstation.  if you are working with sensitive
data, but wouldn't notice the "plumber" sawing apart your computer to
extract ram chips, you're in bad shape.  a quick hit and run operation
wouldn't have time for all the fancy hacks and cpu swaps to get at the
swap password.  and again, there are *people* who know everything on that
disk.  and they will probably be eaiser to brute force than the hard
drive.

conclusion:  if your data is that valuable, you will need a small army to
protect it.  don't bother encrypting swap, because guns are a better means
of protection.  if your data is only semi-valuable, or private that you
wouldn't want random others to read it, then swap encryption is good.
it's a nice feature that some people might like to have.  does it solve
every problem? no.  but the people in the edge cases are most likely very
aware of the possibilities.

btw, i've used it, just for fun, and didn't notice too much performance
hit.

implementation paper:
http://www.openbsd.org/papers/swapencrypt.ps

ted




--
"I read a funny story about how the Republicans freed the slaves.
The Republicans are the ones who created slavery by law in the
1600's.  Abraham Lincoln freed the slaves and he was not a
Republican."
      - M. Barry, Mayor of Washington, DC

Re: summary Re: encrypted swap

[David Spreen]

On Tue, Aug 07, 2001 at 02:34:48PM -0700, Ted Unangst wrote:
> conclusion:  if your data is that valuable, you will need a small army to
> protect it.  don't bother encrypting swap, because guns are a better means
> of protection.  

NAK. Of course I have the united states army in front of my notebook
to protect my pronsite passwds. But see, the army makes my notebook 
an interesting target for data-thiefs, right? So I want encrypted swap
as an additional feature.
Okay stop kidding, of course crypted swap is no allround solution, but 
a step to harden your security issues. I don't want to make you using
it, but I can think of people who would want to including myself.

> if your data is only semi-valuable, or private that you
> wouldn't want random others to read it, then swap encryption is good.
> it's a nice feature that some people might like to have.  does it solve
> every problem? no.  but the people in the edge cases are most likely very
> aware of the possibilities.

ACK.

> implementation paper:
> http://www.openbsd.org/papers/swapencrypt.ps

Thank you, this was what I meant when I wrote of some BSD :).

Okay, so I got some ideas how to implement, the kernel-related
thing with an automatic generated key and the kerneli-issue.

I tried to get kerneli working with swap some time ago and it didn't work.
Has the behavour changed? In the crypto HOWTO linked on kerneli.org is 
still said that swap encryption doesn't work (but I don't know when the
last release was written).

so long & thanks for your suggestions...

David
-- 
  __          _              | David "netzwurm" Spreen      Kiel, Germany
 / _|___  ___| |__  __ _ _ _ | http://www.netzwurm.cc/      david@spreen.de
|  _/ _ \/ _ \ '_ \/ _` | '_|| gnupg key (on keyservers):   C8B6823A
|_| \___/\___/_.__/\__,_|_|  | CellPhone:                   +49 173 3874061

Re: summary Re: encrypted swap

[David Wagner]

You missed some scenarios.  Suppose I run a server that uses crypto.
If swap is unencrypted, all the session keys for the past year might
be laying around on swap.  If swap is encrypted, only the session keys
since the last boot are accessible, at most.  Therefore, using encrypted
swap clearly reduces the impact of a compromise of your machine (whether
through theft or through penetration).  This is a good property.

Re: summary Re: encrypted swap

[David Lang]

only if you can guarenty that there is no way to avoid wiping it even if
this is the 2nd (or 3rd) hard drive (and what about how swap drives that
get added to a system after boot)

also this had better be a configuration option. I don't want to wait for
2g of swap space to be wiped when I boot by webserver (which defeates my
previous requirement)

David Lang

 On Tue, 7 Aug 2001, Ben Ford wrote:

> Date: Tue, 07 Aug 2001 20:30:09 -0700
> From: Ben Ford <ben@kalifornia.com>
> To: David Wagner <daw@mozart.cs.berkeley.edu>
> Cc: linux-kernel@vger.kernel.org
> Subject: Re: summary Re: encrypted swap
>
> David Wagner wrote:
>
> >You missed some scenarios.  Suppose I run a server that uses crypto.
> >If swap is unencrypted, all the session keys for the past year might
> >be laying around on swap.  If swap is encrypted, only the session keys
> >since the last boot are accessible, at most.  Therefore, using encrypted
> >swap clearly reduces the impact of a compromise of your machine (whether
> >through theft or through penetration).  This is a good property.
> >
> Wiping swap on boot will achieve the same effect.
>
> -b
>
> --
> Please note - If you do not have the same beliefs as we do, you are
> going to burn in Hell forever.
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: summary Re: encrypted swap

[Ben Ford]

David Wagner wrote:

>You missed some scenarios.  Suppose I run a server that uses crypto.
>If swap is unencrypted, all the session keys for the past year might
>be laying around on swap.  If swap is encrypted, only the session keys
>since the last boot are accessible, at most.  Therefore, using encrypted
>swap clearly reduces the impact of a compromise of your machine (whether
>through theft or through penetration).  This is a good property.
>
Wiping swap on boot will achieve the same effect.

-b

-- 
Please note - If you do not have the same beliefs as we do, you are
going to burn in Hell forever.

Re: summary Re: encrypted swap

[David Wagner]

Ben Ford  wrote:
>David Wagner wrote:
>>You missed some scenarios.  Suppose I run a server that uses crypto.
>>If swap is unencrypted, all the session keys for the past year might
>>be laying around on swap.  If swap is encrypted, only the session keys
>>since the last boot are accessible, at most.  Therefore, using encrypted
>>swap clearly reduces the impact of a compromise of your machine (whether
>>through theft or through penetration).  This is a good property.
>
>Wiping swap on boot will achieve the same effect.

No, it won't.  Or rather: Yes, it would, if you could erase data
reliably, but it's not clear that you can.  Once again, please see
Peter Gutmann's paper on the difficulty of erasing data reliably.

Re: summary Re: encrypted swap

[Ted Unangst]

> David Wagner wrote:
>
> >You missed some scenarios.  Suppose I run a server that uses crypto.

oh, there's lots of scenarios. :)  i am definitely in the camp that says
encrypted swap is good, though.  and that was a good one.

On Wed, 8 Aug 2001, Ben Ford wrote:

> Wiping swap on boot will achieve the same effect.

1.  takes far longer.  encrypting swap is not a substantial operation.
wiping is.  you'd have to wipe all 0's, then a 1010 pattern, then all 1's
to get decent security. (encryption is spread out over time - done
incrementally.  wiping must be done all at once.)

2.  anyone stealing a disk to get data out of it sure as hell isn't going
to boot it up and run your init scripts.



--
"People blame me because these water mains break, but I ask you,
if the water mains didn't break, would it be my responsibility to
fix them then? WOULD IT!?!"
      - M. Barry, Mayor of Washington, DC

Re: summary Re: encrypted swap

[David Ford]

You can't guarantee much if the machine is physically compromised.  In 
the situation of wiping, you probably won't need swap immediately after 
boot so you can afford to execute a script that wipes the file/partition 
then mounts it.

It's all easily accomplished in userspace.

David

David Lang wrote:

>only if you can guarenty that there is no way to avoid wiping it even if
>this is the 2nd (or 3rd) hard drive (and what about how swap drives that
>get added to a system after boot)
>
>also this had better be a configuration option. I don't want to wait for
>2g of swap space to be wiped when I boot by webserver (which defeates my
>previous requirement)
>
>David Lang
>

Re: summary Re: encrypted swap

[Marty Poulin]

From: "David Ford" <david@blue-labs.org>


> You can't guarantee much if the machine is physically compromised.  In
> the situation of wiping, you probably won't need swap immediately after
> boot so you can afford to execute a script that wipes the file/partition
> then mounts it.
>
> It's all easily accomplished in userspace.
>
> David
>

This all depends on what the circumstances are.  If you are talking about
someone being able to walk up to the machine while on and pull the memory
cards, nope we cant stop that with the OS.

That is not what we are trying to do, one of the specific scenarios was the
example of a notebook computer that either was shut off quickly or freezes.
If this notebook is stolen before the system is rebooted presto the crook
has access to everything in the swap.  All he has to do is take out the
drive and put it in another system.

The solution to that is encrypted swap.

Marty Poulin
vandal@playnet.com
Lead Programmer
Host/Client Communications
Playnet Inc./Cornered Rat Software

Re: summary Re: encrypted swap

[David Wagner]

David Ford  wrote:
>You can't guarantee much if the machine is physically compromised.

You're missing the point.  The point is not about crypto keys currently
in memory.  The point is about crypto keys that were in memory five reboots
ago.  If you use unencrypted swap, those keys might have been swapped out
and might still be laying around in swap somewhere even after five reboots.
Therefore, with unencrypted swap, compromise of a machine can compromise
crypto keys (and other sensitive data) going back a long way.

In contrast, if you use encrypted swap, compromise of your machine can
only compromise crypto keys (and other sensitive data) going back to your
last reboot.  That's a big difference: encrypted swap cuts down the impact
of a penetration or other compromise of your machine.  *This* is one of
the really compelling security motivations for encrypted swap.

Re: summary Re: encrypted swap

[David Ford]

Encrypted swap isn't a complete solution either.  As systems continue to 
evolve and processes begin to share space across machines or migrate to 
other machines, the data becomes visible in one medium or another.  Due 
to the penalty incurred with encrypting swap or a like solution, the 
cost is prohibitive as a general solution.

Two means to minimize this cost are (a) in userspace encrypt the data 
before leaving it stored in memory or (b) have a flag that marks a given 
page as _PAGE_ENCRYPTION so that only that page is encrypted while the 
rest of the pages are left alone.

The first solution is userspace only and portable across all other 
mediums.  The second solution minimizes cost at the granular level of a 
page boundary.

In any given case, physical access renders most solutions void or 
significantly paled.  I am not however of the opinion that the concept 
should be dropped.  I firmly believe in layered security, not a 
one-stop-solution.  That is to say that I will layer thin or weak 
security just as I would add heavy security.  Simply making your data 
look uninviting is sufficient to drive away most would-be's.

David

Marty Poulin wrote:

>>You can't guarantee much if the machine is physically compromised.  In
>>the situation of wiping, you probably won't need swap immediately after
>>boot so you can afford to execute a script that wipes the file/partition
>>then mounts it.
>>
>>It's all easily accomplished in userspace.
>>
>>David
>>
>This all depends on what the circumstances are.  If you are talking about
>someone being able to walk up to the machine while on and pull the memory
>cards, nope we cant stop that with the OS.
>
>That is not what we are trying to do, one of the specific scenarios was the
>example of a notebook computer that either was shut off quickly or freezes.
>If this notebook is stolen before the system is rebooted presto the crook
>has access to everything in the swap.  All he has to do is take out the
>drive and put it in another system.
>
>The solution to that is encrypted swap.
>

Re: summary Re: encrypted swap

[David Wagner]

David Ford  wrote:
>Encrypted swap isn't a complete solution either.

No, of course not.  It's not a silver bullet, but it's still a useful tool.
(I assumed this would be obvious?)

>In any given case, physical access renders most solutions void or 
>significantly paled.

No, I dispute this.  I keep giving examples where encrypted swap can still
be useful even (or especially) when there is a risk that an attacker might
gain access to the machine occasionally.  I like to think my examples should
have been pretty clear, but if not, please ask, and I'll be happy to
elaborate on whichever point you found unclear.

(It is certainly true that if the attacker will have continuous physical
access to your machine in eternity, security is impossible, and encrypted
swap doesn't help.  But this doesn't change anything: This is not the
typical threat model, and there are very common scenarios where encrypted
swap *does* seem likely to help.)

Re: summary Re: encrypted swap

[Andreas Dilger]

David Ford writes:
> I keep giving examples where encrypted swap can still be useful even
> (or especially) when there is a risk that an attacker might gain access
> to the machine occasionally.  I like to think my examples should
> have been pretty clear, but if not, please ask, and I'll be happy to
> elaborate on whichever point you found unclear.

Another interesting use for encrypted swap - if you use it in conjunction
with tmpfs, then _many_ of the files in /tmp will never even be written
to disk (closing another potential security hole), but those that do get
written will be encrypted by swap (so are also safer).

Finally, there is the related issue of "diskless" machines, which have
swap and /tmp on a local disk (for improved performance/reduced network
overhead), and everything else is over the network.  I know many banks
run this way, so stealing one of these systems would not compromise
data if swap is encrypted.

Cheers, Andreas
-- 
Andreas Dilger  \ "If a man ate a pound of pasta and a pound of antipasto,
                 \  would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/               -- Dogbert

EOT Re: summary Re: encrypted swap

[Rik van Riel]

On Thu, 9 Aug 2001, David Ford wrote:

> Encrypted swap isn't a complete solution ...


Now everybody has repeated themselves 3 times, don't you
think it would be time to stop mailing and start coding ?

regards,

Rik
--
IA64: a worthy successor to the i860.

		http://www.surriel.com/
http://www.conectiva.com/	http://distro.conectiva.com/