Geek Answers Handbook

Linux Equivalent CryptProtectMemory

I am trying to protect my data in memory from reading paging files when my process memory is unloaded.

I know CryptProtectMemory () in the Windows SDK, which can be used to encrypt memory buffers.

I could not find such a function on Linux, please let me know if anyone knows.

We can use mlock () so that the memory is not unloaded, but does this mean that my secret files are safe?

+6
linux encryption
source share
2 answers

The closest equivalent on Linux to CryptProtectMemory() is gcry_malloc_secure() in libgcrypt. Dedicated protected memory will be locked in memory; gcry_free() resets and frees it. Other crypto libraries have similar calls, for example Botan's secure_vector template.

Another approach is to use the low-level POSIX call mlock () for the entire buffer. The burden of zeroing the buffer you have. You must manually call memset () ) when the buffer is no longer in use or when your program exits.

CryptProtectMemory() seems to do something a little different from either of the two approaches above: it creates a small random session key and uses it to encrypt the buffer. The advantage is that you only need to block and, finally, reset only a very small page, on which the key is located, and not the entire buffer. This may matter if the buffer is very large. However, we will not be able to process or process data in the buffer. There is also a small time window when sensitive data is replaced.

+7
source share

I am wondering if the encryption (part) of your process memory will end with a chicken egg problem. I mean, the password for encryption / decryption of the memory block (s) of interest should be somewhere in the memory, inside the address space of your process. If any malicious code can access / check the address space of your process at runtime, you are not going to solve the problem (but you make the life of the observer more difficult;))

If you work in user space, you can create some kind of shell to encrypt / decrypt your variables / memory using any available cryptography library (i.e. OpenSSL libcrypto), I think. You can create some kind of “protected variable” object, but keep in mind that some cryptographic algorithms require filling (the size of the basic types may need to be changed accordingly) In kernel space, you can use LKCF (Cernel Crypto API)

+1
source share

More articles:


All Articles