OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew van der Stock (ajvgreebo.net)
Date: Tue Jun 05 2001 - 01:15:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    All,

    What are the risks you trying to protect against?

    Zero'ing swap files is useful if you have a laptop that might be taken, but
    realistically, most attacks come from the network interface, and attack
    applications. Therefore, someone who owns your box will try to escalate to
    root or do an arbitary file retrieval rather than worry about the contents
    of swap.

    If you have access to your PGP private key (be serious now - I know a lot of
    PGP users, and none of them use floppies for their key), then someone using
    malware as you can also try to retrieve it. PGP could use a syscall to
    prevent pagefile being used for a page or two of data.

    Encrypting swap would be only useful on systems where data *must* be
    protected from disclosure. For an attacker overwriting swap is a priority.
    Even encrypted, it is possible to do this using simple scripts or C
    programs.

    The key to unlock the pagefile is likely to be kept on the system to allow
    it to boot without human intervention. Protection for the key then becomes
    an all consuming issue for what I feel is a very low risk setting.

    Zeroing swap is useless on most systems and is a hindrance to availability.
    On NT and 2K systems I've used, it can take a significant amount of time to
    clear the pagefile, and thus many admins I know who have to manage these
    systems simply press the reset button rather than wait for it to finish.

    On systems where the machine is already in a physically secure environment,
    zero'ing and encrypting page files is probably the least likely lockdown I'd
    take. I'd take keeping the system up to date and reducing available services
    anytime as being more practical.

    Don't get me wrong, I don't mind these things being available, but
    realistically, the risks of application exposure are so much higher and
    warrant the limited eyeballs on the problem rather than these two. MI
    Non-executable stacks and heap, and dynamic array and bounds checking in the
    C compiler would be a far more worthy inclusion than worrying about
    potential physical security attacks.

    Andrew van der Stock
    ajvgreebo.net