[SOLVED] Is it possible that RAM is encrypted too, without special hardware?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Maybe run arbitrary software with an emulator or hypervisor that intercepts all access to ram encrypting/decrypting the data so real ram is always encrypted and a core dump does not reveal what the software is processing. A core dump is possible by an adversary that owns the hardware (VPS hoster).
Maybe run arbitrary software with an emulator or hypervisor that intercepts all access to ram encrypting/decrypting the data so real ram is always encrypted and a core dump does not reveal what the software is processing. A core dump is possible by an adversary that owns the hardware (VPS hoster).
A VPS hoster can make a a snapshot from the entire machine, including the CPU registers, at any given time, so this excercise would be moot.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I was intrigued by this concept so I did some googling and it would appear that it has been tried and there should be a proof of concept out there: http://ieeexplore.ieee.org/xpl/login...mber%3D5655081
While encrypting RAM contents is probably not all that much of a defense I can see it making it tougher for a provider to snoop and if there are any built-in snooping measures I wouldn't have thought they would expect encrypted RAM -- so, perhaps, there is some use in doing this?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by TobiSGD
This may work on bare metal machines, but that simply doesn't apply to VMs.
I meant that, for example, if the VPS provider takes automated memory dumps of machines for "auditing" purposes they're not going to be of much use if most data is encrypted. In other words I know that if the VPS provider is aware of these things they could employ countermeasures but automated systems could be defeated.
Whether that is "enough security" is another question entirely, of course.
Any VM, regardless if it is VMware, Virtualbox, KVM, ..., allows the host running the VM to make snapshots of the running machine, including all encryption keys (this is what happens when you suspend the VM, only that the VM is shut down afterwards). If they have the keys, encryption is no protection at all
Someone has already found enough space for the keys in the cpu for some reason:
Quote:
TRESOR is a software approach that seeks to resolve this insecurity by storing and manipulating encryption keys almost exclusively on the CPU alone ... TRESOR is written as a kernel patch that stores encryption keys in the x86 debug registers
Sure all cpu registers must appear in a core dump, even if AES-NI is supported?
Quote:
Its developers state that "running TRESOR on a 64-bit CPU that supports AES-NI, there is no performance penalty compared to a generic implementation of AES",[5] and run slightly faster than standard encryption despite the need for key recalculation, a result which initially surprised the authors as well
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by TobiSGD
Any VM, regardless if it is VMware, Virtualbox, KVM, ..., allows the host running the VM to make snapshots of the running machine, including all encryption keys (this is what happens when you suspend the VM, only that the VM is shut down afterwards). If they have the keys, encryption is no protection at all
Indeed, they even have them when stored in debug registers as per the abobe posted TRESOR. However, as I mentioned previously, it would depend upon what the VPS host does as regards monitoring. Again though I'm not suggesting this is security which could be relied upon but wonder whether it would frustrate any routine "records keeping" by a provider. Sadly I don't know how VPS provisers work as I never got past the interview stage when I attempted to work for one.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.