June 22, 2004

TaintBochs testing highlights the persistence of OS memory

Author: Jay Lyman

Mendel Rosenblum did not go looking for a hard drive security issue. "We were largely trying to solve other problems," the assistant professor in Computer Science at Stanford University says. But Rosenblum and his colleagues and students found a problem that can leave data at risk on all modern operating systems, including Linux.

The problem, Rosenblum says, is that modern operating systems have no built-in mechanisms for limiting the lifetime of sensitive data. As a result, passwords and other sensitive data may be moved into and left in the system memory, which may be swapped to an area on a hard drive where they could sit for years, even until after the user disposes, sells, trades, or otherwise dumps a drive.

Rosenblum's team used a software simulation system they created called TainBochs to mirror a typical computer system. The software allowed them to taint or tag data, which was then tracked through the system.

The work revealed a hidden source of password and other information that may have been stored originally in Mozilla, Apache, Perl, and other applications. These applications execute in system memory, but that memory is copied to a swap area on the hard drive by the operating system. Once on the hard drive, there is no set time frame in which the data is overwritten, leaving it intact and in jeopardy for years
or longer.

Many people, even in the security community, had not really considered this problem. Perhaps that's because, compared to keyloggers, email inboxes, and other more accessible sources of personal and password data, sifting through a half a gigabyte of RAM is an unattractive alternative for attackers. Still, with the right tools, someone might be able to uncover the records of years of email and Web browsing.

What makes the data lifetime issue a more serious vulnerability is its effect in combination with typical corporate hard drive disposal programs. Despite placing serious priority on security when a machine is in use, major U.S. companies dump drives into recycling programs, landfills, and other insecure outlets, exposing data from, according to the TaintBochs research, at least a year of use on both Linux and Windows systems.

Rosenblum, who conceded both that the hard drive data risk was not a new security issue and that there are plenty of better ways to steal sensitive information, stressed that the point of a paper to be presented at the August Usenix in San Diego is to create awareness.

Rosenblum said that while the TainBochs simulation system was "really slow," it did point out where data leaks and how long it stays in memory. Rosenblum suggested a real-time tool that uncovered the same information would be ideal.

Rosenblum said the way that operating systems, including Windows and Linux, lock passwords and other data in memory makes the swap gap a difficult issue to write around. "Even if you write a paranoid app to ensure data is safe, you're at the mercy of the operating system."

Rosenblum said both Linux and Windows have the ability to handle relatively simple scripts that can control or contain memory, but neither operating system -- nor any other modern OS -- proactively prevents a hard disk swap. "Neither Linux nor Windows have a guarantee that memory won't get written to disk."

Think about it

"When I saw this [research], I hadn't even thought about it," said security expert Jay Beale, who is lead developer of the Bastille Linux Project and a consultant with Intelguardians. "This [data swap to hard drive] happens a lot and none of us think about the security implications too much."

Beale said that considering other forms of password theft and particularly from a worm perspective, the data retention issues highlighted by TaintBochs is of minimal concern. However, Beale said that did not make the issue insignificant, and added it meant that locking down data adequately would mean a serious look at the swap gap.

From a non-worm, "uberhacker" perspective of a skilled attacker targeting a specific drive, Beale said the RAM swap area's lack of security could lead to problems, though Beale said a black hat hacker would have much better luck using a keystroke logger or rootkit.

Even after measures such as reformatting drives, overwriting disks with all zeros,
and other methods of hard drive cleanups, Beale said the right experts with
the right equipment and time can find incredible amounts of data on the
drive. He cited a paper on the matter from the University of Auckland's Peter Gutmann.

"Wiping hard drives is difficult," Beale said. "It should be done with a
good tool that takes time." Beale recommended Symantec's Ghost as a cleaning tool for Windows and Wipe for Linux.

Fringe area research

Security expert Ryan Russell, author and Vuln-Dev security mailing list
founder, agreed with Beale's assessment that there are easier ways to get
password and similar information than wading through a hard drive.

"It's interesting research and I'm glad they're looking into it," Russell
said. "But I think there are other risks -- for the vast majority of people,
this particular risk is very far down the list. Higher up would be the
browser retaining passwords, not cleaning up cookies, or something sitting in
the email box."

Russell highlighted the disposal danger as well, saying that although exploiting the swappy seconds would require physical access to the drive, it could happen when the hardware is getting scrapped, transferred, or otherwise put to pasture.

"It's when you go to dispose of it that you worry," said Russell,
who recalled his own purchase of a Sun workstation from a company that had
not made any effort to erase or even obscure any of the hard drive's

Russell referred to some other research in the area of scouring hard
drives left for dead, including the finding that an electron microscope
could be used to essentially read old bits underneath the current set.
Still, Russell said he was glad to see the TaintBochs research taking

"It's always good to see people looking into the fringe areas," he


  • Security
Click Here!