Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Meta] Zeroing memory and general secure memory management #122

Open
4 tasks
emostov opened this issue Sep 20, 2022 · 1 comment
Open
4 tasks

[Meta] Zeroing memory and general secure memory management #122

emostov opened this issue Sep 20, 2022 · 1 comment
Assignees
@emostov
Labels
Meta Discussion of high level concepts and decisions

Comments

@emostov
Copy link
Contributor

emostov commented Sep 20, 2022
edited
Loading

Context

In order to reduce the chance of an attacker reading sensitive memory or injecting data into memory that is either malicious code or could trigger code to run in a malicious way, we want to ensure that enclave memory is appropriately wiped.

As further context, improperly managed memory can expose attack vectors. This is particularly an issue in languages like C/C++ where it is always up to the author to implement memory managements. In the case of Rust, the compiler should handle memory management as long as unsafe Rust is not used. In other words the Rust compiler handles the details of memory allocation/deallocation and pointer management, which otherwise commonly cause bugs in languages like C/C++. (For reading on a real life example of memory abuse vectors check out https://blog.inhq.net/posts/u2fhid_init_resp-information-leak/).

Even though the Rust compiler implements memory management, we are not guaranteed that memory will be deallocating and wiped to zero. The compiler may choose not to deallocate and wipe memory for a variety reasons, likely the number 1 being performance: in some situations it may prefer to leave pages of memory if it speeds up execution does not change intended logic. For highly sensitive data, we will want to ensure zeroing does not get optimized away.

Strategy

To practically support this we want to look into building out QOS to support different types of memory wiping, but also expose libraries that enclave application developers can use to zero memory within the applications own logic.

Note that this issue tracks Rust specific approaches and may not be relevant for enclave apps written in other languages

Action Items

Short term

Medium term

Long term
This was referenced Sep 20, 2022
Open
Open
Open
Open
@emostov emostov changed the title [Meta Issue] Zeroing memory and general secure memory management [Meta] Zeroing memory and general secure memory management Sep 20, 2022
@emostov emostov self-assigned this Sep 20, 2022
@emostov emostov added the Meta Discussion of high level concepts and decisions label Sep 20, 2022
@cr-tk
Copy link
Collaborator

cr-tk commented Feb 7, 2024

@emostov: have there been any steps towards the action items since late 2022?

I know that we're using zeroize in qos_p256 and qos_client, plus indirectly via some of the Rust crypto libraries that use it. Beyond that, I don't think the situation has changed with regards to bigger forms of memory zeroing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emostov emostov

Labels
Meta Discussion of high level concepts and decisions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emostov @cr-tk