Re: Security properties of domain socket communication buffers

[Giles Lean <giles.lean%pobox.com@localhost>]

Since nobody's yet taken a stab at this, I will, but I'm talking
from theory and not from examining the NetBSD kernel memory management
code so someone who has should feel free to correct me ...

> I'm contemplating writing a program which would send sensitive
> information between processes via UNIX doamin sockets.  Does NetBSD make
> any guarantees that the stale contents of the communication buffer for a
> domain socket will not later appear in another process's uninitialized
> address space after the socket has been closed?

Unix processes should not get to see memory previously used by the
kernel or another process without it being cleared first.  So (bugs
aside) I think you can have a "yes" for your first question.

> Does it make any guarantees that an active buffer will not swapped to
> disk?

Again so far as I know (or think I know) NetBSD kernel memory is not
paged to disk, so the problem only arises when the data is in a
process's memory space.  Thus, again, "yes" to your qestion.

> (I know about mlock() but I don't think I can use it on a buffer).

You're correct that you can't use mlock() on anything that isn't in your
process's virtual address space.

> Are any such guarantees portable to other UNIX derivatives?

I believe AIX can page kernel memory; I don't think HP-UX does; I don't
know about Solaris.  I doubt Linux does, but don't know.

Giles