Re: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]

To: tech-security%netbsd.org@localhost
Subject: Re: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
From: christos%astron.com@localhost (Christos Zoulas)
Date: Wed, 6 Apr 2011 00:39:09 +0000 (UTC)

In article <4D9BA33D.9010703%gmail.com@localhost>,
Ihar Hrachyshka  <ihar.hrachyshka%gmail.com@localhost> wrote:

>What is the goal of the project?
>--------------------------------
>
>The goal of the project is to add security feature to vfs layer which
>will add ability to scrub blocks which are about to be freed on file
>operations like unlink and truncate with 'random' data. This will add
>appropriate option (-o scrub?) to mount utility.
>
>Random data will be generated with available hardware generators (f.e.
>Intel RNG) or, as a fallback, pseudo-random values' generation
>algorithms should be used. We should also consider providing appropriate
>sysctl interface to explicitly choose between available algorithms.
>
>This feature will make delete/truncate operations really unrecoverable
>which can be considered as additional security merit.

I think we really need to think a bit more about this. I don't think
tht modern disks require random data writes or many rewrites to eliminate
the original data. Just zeroing out the blocks should do it. I also
think that to be effective, this should work at the block allocation
level of the filesystem. I.e. if a filesystem decides to move blocks
around to make things contiguous, or something like a log based filesystem
will leave original file data behind when the file is not removed, and
when the file gets removed the old blocks will still contain pieces of
the file. Finally I don't think that this needs to be controlled in a
finer grain than the mount point.

To summarize:
- I don't think that we should spend a lot of time in the randomization
  portion. Perhaps zero as default, add a simple random option via sysctl.
- I am not sure this project can be done effectively in the vfs layer, because
  the underlying filesystem can inadvertently make copies of the file blocks
  for housekeeping.
- A per mount flag should be good enough, we don't need a per file flag.

christos

Follow-Ups:
- Re: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
  - From: Thor Lancelot Simon

References:
- GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
  - From: Ihar Hrachyshka

Prev by Date: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
Next by Date: Re: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
Previous by Thread: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
Next by Thread: Re: GSoC 2011 project proposal [Implement file system flags to scrub data blocks before deletion]
Indexes:

Home | Main Index | Thread Index | Old Index