v0.13.3

Gopkg.toml

@@ -0,0 +1,26 @@
+
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/sys"

README.md

@@ -16,7 +16,7 @@ This is a thread-safe package, designed to allow you to easily handle sensitive
 
 ## Features
 
-* Interference from the garbage-collector is blocked by using system-calls to manually allocate memory ourselves.
+* Interference from the garbage-collector is blocked by using system-calls to manually allocate memory.
 * It is very difficult for another process to find or access sensitive memory as the data is sandwiched between guard-pages. This feature also acts as an immediate access alarm in case of buffer overflows.
 * Buffer overflows are further protected against using a random canary value. If this value changes, the process will panic.
 * We try our best to prevent the system from writing anything sensitive to the disk. The data is locked to prevent swapping, system core dumps can be disabled, and the kernel is advised (where possible) to never include the secure memory in dumps.
@@ -43,10 +43,10 @@ If you would prefer a signed release that you can verify and manually compile yo
 $ go install -v ./
 ```
 
-The releases are cryptographically signed with my PGP key, which can be found on [keybase](https://keybase.io/awn). To import it directly into GPG, run:
+The [latest release](https://github.com/awnumar/memguard/releases/latest) is guaranteed to be cryptographically signed with my most recent PGP key, which can be found on [keybase](https://keybase.io/awn). To import it directly into GPG, run:
 
 ```
 $ curl https://keybase.io/awn/pgp_keys.asc | gpg --import
 ```
 
-We **strongly** encourage you to vendor your dependencies for a clean and reliable build. [Glide](http://glide.sh/) makes this task relatively frictionless.
+We **strongly** encourage you to vendor your dependencies for a clean and reliable build. Go's [dep](https://github.com/golang/dep) makes this task relatively frictionless.

container.go

@@ -70,6 +70,9 @@ func newContainer(size int, mutable bool) (*LockedBuffer, error) {
 	// Set Buffer to a byte slice that describes the reigon of memory that is protected.
 	b.buffer = getBytes(uintptr(unsafe.Pointer(&memory[pageSize+roundedLength-size])), size)
 
+	// The buffer is filled with weird bytes so let's wipe it.
+	wipeBytes(b.buffer)
+
 	// Set appropriate mutability state.
 	b.mutable = true
 	if !mutable {

memcall/memcall_freebsd.go

@@ -0,0 +1,79 @@
+// +build freebsd
+
+package memcall
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/unix"
+)
+
+// Lock is a wrapper for unix.Mlock(), with extra precautions.
+func Lock(b []byte) {
+	// Advise the kernel not to dump. Ignore failure.
+	unix.Madvise(b, unix.MADV_DONTDUMP)
+
+	// Call mlock.
+	if err := unix.Mlock(b); err != nil {
+		panic(fmt.Sprintf("memguard.memcall.Lock(): could not acquire lock on %p, limit reached? [Err: %s]", &b[0], err))
+	}
+}
+
+// Unlock is a wrapper for unix.Munlock().
+func Unlock(b []byte) {
+	if err := unix.Munlock(b); err != nil {
+		panic(fmt.Sprintf("memguard.memcall.Unlock(): could not free lock on %p [Err: %s]", &b[0], err))
+	}
+}
+
+// Alloc allocates a byte slice of length n and returns it.
+func Alloc(n int) []byte {
+	// Allocate the memory.
+	b, err := unix.Mmap(-1, 0, n, unix.PROT_READ|unix.PROT_WRITE, unix.MAP_PRIVATE|unix.MAP_ANONYMOUS|unix.MAP_NOCORE)
+	if err != nil {
+		panic(fmt.Sprintf("memguard.memcall.Alloc(): could not allocate [Err: %s]", err))
+	}
+
+	// Fill memory with weird bytes in order to help catch bugs due to uninitialized data.
+	for i := 0; i < n; i++ {
+		b[i] = byte(0xdb)
+	}
+
+	// Return the allocated memory.
+	return b
+}
+
+// Free unallocates the byte slice specified.
+func Free(b []byte) {
+	if err := unix.Munmap(b); err != nil {
+		panic(fmt.Sprintf("memguard.memcall.Free(): could not unallocate %p [Err: %s]", &b[0], err))
+	}
+}
+
+// Protect modifies the PROT_ flags for a specified byte slice.
+func Protect(b []byte, read, write bool) {
+	// Ascertain protection value from arguments.
+	var prot int
+	if read && write {
+		prot = unix.PROT_READ | unix.PROT_WRITE
+	} else if read {
+		prot = unix.PROT_READ
+	} else if write {
+		prot = unix.PROT_WRITE
+	} else {
+		prot = unix.PROT_NONE
+	}
+
+	// Change the protection value of the byte slice.
+	if err := unix.Mprotect(b, prot); err != nil {
+		panic(fmt.Sprintf("memguard.memcall.Protect(): could not set %d on %p [Err: %s]", prot, &b[0], err))
+	}
+}
+
+// DisableCoreDumps disables core dumps on Unix systems.
+func DisableCoreDumps() {
+	// Disable core dumps.
+	if err := unix.Setrlimit(unix.RLIMIT_CORE, &unix.Rlimit{Cur: 0, Max: 0}); err != nil {
+		panic(fmt.Sprintf("memguard.memcall.DisableCoreDumps(): could not set rlimit [Err: %s]", err))
+	}
+}

memcall/memcall_openbsd.go

@@ -31,6 +31,11 @@ func Alloc(n int) []byte {
 		panic(fmt.Sprintf("memguard.memcall.Alloc(): could not allocate [Err: %s]", err))
 	}
 
+	// Fill memory with weird bytes in order to help catch bugs due to uninitialized data.
+	for i := 0; i < n; i++ {
+		b[i] = byte(0xdb)
+	}
+
 	// Return the allocated memory.
 	return b
 }

memcall/memcall_osx.go

@@ -30,6 +30,11 @@ func Alloc(n int) []byte {
 		panic(fmt.Sprintf("memguard.memcall.Alloc(): could not allocate [Err: %s]", err))
 	}
 
+	// Fill memory with weird bytes in order to help catch bugs due to uninitialized data.
+	for i := 0; i < n; i++ {
+		b[i] = byte(0xdb)
+	}
+
 	// Return the allocated memory.
 	return b
 }

memcall/memcall_test.go

@@ -5,6 +5,14 @@ import "testing"
 func TestCycle(t *testing.T) {
 	DisableCoreDumps()
 	buffer := Alloc(32)
+
+	// Test if the whole memory is filled with 0xdb.
+	for i := 0; i < 32; i++ {
+		if buffer[i] != byte(0xdb) {
+			t.Error("unexpected byte:", buffer[i])
+		}
+	}
+
 	Protect(buffer, true, true)
 	Lock(buffer)
 	Unlock(buffer)

memcall/memcall_unix.go

@@ -1,4 +1,4 @@
-// +build !windows,!darwin,!openbsd
+// +build !windows,!darwin,!openbsd,!freebsd
 
 package memcall
 
@@ -34,6 +34,11 @@ func Alloc(n int) []byte {
 		panic(fmt.Sprintf("memguard.memcall.Alloc(): could not allocate [Err: %s]", err))
 	}
 
+	// Fill memory with weird bytes in order to help catch bugs due to uninitialized data.
+	for i := 0; i < n; i++ {
+		b[i] = byte(0xdb)
+	}
+
 	// Return the allocated memory.
 	return b
 }

memcall/memcall_windows.go

@@ -34,8 +34,16 @@ func Alloc(n int) []byte {
 		panic(fmt.Sprintf("memguard.memcall.Alloc(): could not allocate [Err: %s]", err))
 	}
 
+	// Convert into a byte slice.
+	b := _getBytes(ptr, n, n)
+
+	// Fill memory with weird bytes in order to help catch bugs due to uninitialized data.
+	for i := 0; i < n; i++ {
+		b[i] = byte(0xdb)
+	}
+
 	// Return the allocated memory.
-	return _getBytes(ptr, n, n)
+	return b
 }
 
 // Free unallocates the byte slice specified.