Comments (7)
jorgeelmundoso
commented on June 9, 2024
here is the source code to gcore from gdb
https://github.com/bminor/binutils-gdb/blob/master/gdb/gcore.c
from secrets.
stouset
commented on June 9, 2024
Was this built in --release mode? We call setrlimit to set the hard limit for RLIMIT_CORE to 0 in non-debug builds.
from secrets.
stouset
commented on June 9, 2024
It looks like gcore ignores setrlimit. I'm not sure there's anything this (or any) library can do about a user that has root and can probe memory directly.
from secrets.
jorgeelmundoso
commented on June 9, 2024
Was this built in
--releasemode? We callsetrlimitto set the hard limit forRLIMIT_COREto0in non-debug builds.
Yes it was build with --release.
I was looking for a way to protect secrets inside docker containers, guess that is a really hard one.
from secrets.
stouset
commented on June 9, 2024
FWIW, libsodium recently added an mshield function that performs in-memory encryption. When that is stabilized and released, I'll be able to use it.
Of course, anyone with similar privileges can still find the key and IV in memory and decrypt the secret, but it does increase the level of effort for such an attach.
from secrets.
stouset
commented on June 9, 2024
But yeah, fundamentally there's not much that can be done to protect against a user with root who can read arbitrary memory. Page-level protections like mprotect only affect the process' address space.
The main intent here is to protect against in-process bugs like those that resulted in heartbleed.
Closing since there's not much that can be done here, but when libsodium does release a version with mshield, I will use it for secrets allocated on the heap.
from secrets.
jorgeelmundoso
commented on June 9, 2024
thanks
from secrets.
Related Issues (14)
- Relicense under dual MIT/Apache-2.0 HOT 4
- SIGSEGV on SecretVec::zero() HOT 4
- Any plans to add protection against Specte? HOT 1
- Trouble compiling on OpenBSD HOT 5
- any updates on using libsodium mshild HOT 3
- Question about linkage HOT 1
- Support linking with vcpkg on Windows
- Pure Rust implementation of libsodium/utils HOT 8
- How do I handle Strings combined with Secret(Box)? HOT 1
- `bool` and `char`'s `Bytes` implementations cause undefined behavior.
- How do I create a SecretVec which length is unknown? HOT 1
- Why do you assert! if the thread is panicking in your `Drop` implementation?
- Keep sensitive data in binary
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets.