Subject: Re: encrypted swap?
To: , <tech-kern@netbsd.org>
From: Andrew van der Stock <ajv@greebo.net>
List: tech-kern
Date: 06/05/2001 16:15:34
All,

What are the risks you trying to protect against?

Zero'ing swap files is useful if you have a laptop that might be taken, but
realistically, most attacks come from the network interface, and attack
applications. Therefore, someone who owns your box will try to escalate to
root or do an arbitary file retrieval rather than worry about the contents
of swap.

If you have access to your PGP private key (be serious now - I know a lot of
PGP users, and none of them use floppies for their key), then someone using
malware as you can also try to retrieve it. PGP could use a syscall to
prevent pagefile being used for a page or two of data.

Encrypting swap would be only useful on systems where data *must* be
protected from disclosure. For an attacker overwriting swap is a priority.
Even encrypted, it is possible to do this using simple scripts or C
programs.

The key to unlock the pagefile is likely to be kept on the system to allow
it to boot without human intervention. Protection for the key then becomes
an all consuming issue for what I feel is a very low risk setting.

Zeroing swap is useless on most systems and is a hindrance to availability.
On NT and 2K systems I've used, it can take a significant amount of time to
clear the pagefile, and thus many admins I know who have to manage these
systems simply press the reset button rather than wait for it to finish.

On systems where the machine is already in a physically secure environment,
zero'ing and encrypting page files is probably the least likely lockdown I'd
take. I'd take keeping the system up to date and reducing available services
anytime as being more practical.

Don't get me wrong, I don't mind these things being available, but
realistically, the risks of application exposure are so much higher and
warrant the limited eyeballs on the problem rather than these two. MI
Non-executable stacks and heap, and dynamic array and bounds checking in the
C compiler would be a far more worthy inclusion than worrying about
potential physical security attacks.

Andrew van der Stock
ajv@greebo.net