Subject: Re: questions about netbsd
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: David Maxwell <david@vex.net>
List: port-i386
Date: 02/10/2003 00:01:15
On Sun, Feb 09, 2003 at 09:07:14PM -0500, der Mouse wrote:
> >> What attack scenario are you concerned about, such that you want
> >> that feature?
> > What's the use of an encrypted filesystem if you have no encrypted
> > swap ?

What's the use of having passwords if someone can shoot you and take the
computer? ;-)

As der Mouse said, there are lots of different factors at work here.

As for solutions - well, that depends on your attack scenario - which is
why I asked.

In some cases, configuring no swap space might be an answer.

A smart application might use mlock(2) for sensitive data pages.

swap on cgd, either through a file or (suggested elsewhere in this
thread) directly? (I haven't tried cgd yet.)

At shutdown time, use swapctl -d to delete the swap partition, and
overwrite the partition with your favorite seqeunce of 'secure'
scrubbing checkerboards, etc. (Leaves you with a different attack
requirement than encrypted swap - but for 'my' attackers, I'll bet
reading overwritten disk blocks is harder than cracking a symmetric
encryption.)

							David


> ...huh?  It makes it harder for a putative attacker to get at your
> data.
> 
> Getting data off an unencrypted filesystem borders on trivial.
> 
> Getting data off an unencrypted swap area is not nearly as trivial.
> First, the data may not even be there; most machines have enough
> filesystem space that it couldn't all fit into swap even if it tried,
> which means that at least some, usually most, of the filesystem data
> simply isn't there in swap.  If it is there, finding it can be
> difficult; telling whether it's the current version can verge on
> impossible.  It is most certainly harder than getting it off an
> unencrypted filesystem.
> 
> Security is a matter of degree.  It's harder to get data off a machine
> with encrypted filesystem and unencrypted swap than a similar machine
> with both unencrypted.  (Both encrypted, of course, is harder yet.  But
> just because the middle one is weaker than the third doesn't make it no
> better than the first.)
> 
> Of course, running with encrypted filesystem and unencrypted swap and
> thinking you're as secure as the encryption on your filesystem is
> dangerously close to deluding yourself.  But that doesn't make
> encrypted filesystems useless in the presence of unencrypted swap; it
> just means that you have to know your system and its exposures to make
> intelligent decisions about what it's safe to entrust to that system.
> 
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse@rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)