...
Two common mechanisms by which data can is inadvertently be written to disk are swapping and core dumps.
Paging/Swapping
Many general-purpose operating systems implement a virtual memory management technique called paging (also referred to as swapping) to transfer pages between main memory and an auxiliary store, such as a disk drive. This feature is typically implemented as a task running in the kernel of the operating system, and its operation is invisible to the running program.
...
A core dump is the recorded state of process memory written to disk for later examination by a debugger. Core dumps are typically generated when a program has terminated abnormally, either through an error resulting in a crash or by receiving a signal that causes such a termination.
...
Noncompliant Code Example
In this noncompliant code example, sensitive information generated by create_secret() is stored in the dynamically allocated buffer, secret, which is processed and eventually deallocated by a call to free(). The memory page containing secret can be swapped out to disk. If the program crashes before the call to free(), the information stored in secret may be stored in the core dump.
| Code Block | ||
|---|---|---|
| ||
char *secret;
secret = (char *)malloc(size+1);
if (!secret) {
/* Handle Errorerror */
}
/* Perform operations using secret... */
free(secret);
secret = NULL;
|
Compliant Solution (
...
POSIX)
To prevent the information being written to a core dump, the size of core dumps that the program will generate should be set to 0. This can be accomplished by using setrlimit().
| Code Block | ||
|---|---|---|
| ||
#include <sys/resource.h>
/* ... */
struct rlimit limit;
char *secret;
limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
/* Handle Errorerror */
}
/* Create or otherwise obtain some sensitive data */
if (fgets(secret, sizeof(secret), stdin) == EOF) {
/* Handle Errorerror */
}
|
Compliant Solution (
...
Privileged Process, POSIX)
Additionally, processes Processes with elevated privileges can disable paging by "locking" memory in place using either mlock() (POSIX) or VirtualLock() (Windows) Open Group 04. This ensures that memory is never copied to the hard drive, where it may be retained indefinitely in non-volatile nonvolatile storage.
This compliant solution not only disables the creation of core files, but also ensures that the buffer is not swapped to hard disk.
| Code Block | ||
|---|---|---|
| ||
#include <sys/resource.h>
/* ... */
struct rlimit limit;
char *secret;
limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
/* Handle Errorerror */
}
if (mlock(secret, sizeof(secret)) != 0) {
/* Handle error */
}
/* Create or otherwise obtain some sensitive data */
if (fgets(secret, sizeof(secret), stdin) == EOF) {
/* Handle Errorerror */
}
|
Compliant Solution
...
(Privileged Process, Windows)
Windows processes running with elevated privileges can disable paging by locking memory in place using VirtualLock() (Windows) MSDN:
| Code Block | ||
|---|---|---|
| ||
char *secret;
if (VirtualLock(secret, sizeof(secret)) != 0) {
/* Handle error */
}
/* Create or otherwise obtain some sensitive data */
if (fgets(secret, sizeof(secret), stdin) == EOF) {
/* Handle Errorerror */
}
|
Risk Assessment
Writing sensitive data to disk preserves it for future retrieval by an attacker, who may even be able to bypass the access restrictions of the operating system by using a disk maintenance program.
...
| Wiki Markup |
|---|
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XZX Memory Locking" \[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 591|http://cwe.mitre.org/data/definitions/591.html], "Sensitive Data Storage in Improperly Locked Memory," and [CWE ID 528|http://cwe.mitre.org/data/definitions/528.html], "Information Leak Through Core Dump Files" \[[Open Group 04]\]{{mlock(), setrlimit()}} \[[Wheeler 03|AA. C References#Wheeler 03]\] Sections 7.14 and 11.4 |
...