<<< Date Index >>>     <<< Thread Index >>>

Suggestion: erase data posted to the Web



A recent New Scientist article referred to the fact that
"sensitive data" may persist in computer memory, and be swapped to disk
and persist after a power-down.

http://www.newscientist.com/news/news.jsp?id=ns99995064

I had observed a while ago that text such as credit card numbers entered
into a form in Netscape could persist in RAM after the application exits,
and this seems to be still true for Mozilla.

As discussed earlier in Bugtraq ("When scrubbing secrets in memory doesn't
work", 19 Nov 2002), in Linux/Unix the mlock() call can be used to
discourage swapping (MmLockPagableSectionByHandle ? in Win32), while
overwriting can be used to erase freed memory (as is done in Gnupg).

It occurs to me that, while an unprivileged process cannot read system
memory directly, that a simple allocation of a large chunk of memory might
get data freed up or abandoned by previously running processes. Certain
data, such as credit card numbers and SINs, have a predictable pattern
that a regex such as
/4530[\s]{0,1}[\d]{4}[\s]{0,1}[\d]{4}[\s]{0,1}[\d]{4}[\s]{0,1}[\d]{4}/
might easily find.

Given the now common practice of leaving computers powered on with
"high-speed" internet access, and the recent appearance of trojans such as
Bankhook.A and Pwsteal.Refest, I suggest that best practice be updated to
include the erasure and protection of "sensitive data". This would include
obvious things like passwords, certificates etc. and be extended to
anything entered into an SSL-protected form in a Web browser. At some
expense in CPU time, it might include all https displayed pages and any
user-generated data such as word processor documents.

One (probably very CPU-intensive, for some apps) way to enforce this
behaviour for malloc'd memory would be to make free() do an erase
operation as a system option. Creating "secure_free()" would be better.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@xxxxxxxxx