[illumos-Developer] Proposal: Add memory clearing allocator to libnvpair
Bill Sommerfeld
sommerfeld at hamachi.org
Wed Jan 26 18:48:47 PST 2011
On 01/26/11 18:11, Samuel Younge wrote:
> Is there an easy way to keep referenced memory that affects the internals of IKE in a more protected space?
not an easy one.
approaches to consider:
0) use umem/vmem in the nvlist allocator and allocate the IKE secrets in
pages which are locked in core (won't end up in swap space by accident?
or will they?)
1) privilege separation (some ssh implementations do this); reduce the
attack surface by partitioning the code into multiple processes running
with limited privileges.
2) careful cryptographic interface design. the solaris crypto framework
is built on top of pkcs#11, which allows for cryptographic tokens which
keep secrets inside a boundary. your initial implementation may have
this boundary be a line in the sand rather than anything real, but if
need allows, you can make this tougher. (you could, for instance, leave
the keys in the kernel, out of reach of iked)
3) some sort of cross-zone separation. figure out how to plumb things
under the covers in PF_KEY such that you can have IKE running in one
zone managing the keys of another zone. I always wanted to try to set
this up but ENOTIME....
- Bill
More information about the Developer
mailing list