Improve resilience against memory attacks #3020
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
phoerious
force-pushed
the
feature/memory-protection-v2
branch
3 times, most recently
from
d637fd0
to
6a42e1a
Compare
phoerious
approved these changes
Apr 20, 2019
phoerious
force-pushed
the
feature/memory-protection-v2
branch
from
6a42e1a
to
477d4fe
Compare
droidmonkey
commented
Apr 20, 2019
phoerious
force-pushed
the
feature/memory-protection-v2
branch
2 times, most recently
from
d35e94d
to
21372f9
Compare
|
Looks good to me. Do we need to add "Alloc.cpp" to all the intermediate libraries? You added it to Browser but I would think it would come as part of linking against Core. |
phoerious
force-pushed
the
feature/memory-protection-v2
branch
from
21372f9
to
8a1be3d
Compare
|
It should be enough to build it into the main library as it's applied during link time. I added it to browser, because it didn't link against the core lib, but the core lib is linking against browser, of course. So it's actually redundant here. I did add it to the proxy, though, since that one's a standalone binary that doesn't link against core. |
To reduce residual fragments of secret data in memory after deallocation, this patch replaces the global delete operator with a version that zeros out previously allocated memory. It makes use of the new C++14 sized deallocation, but provides an unsized fallback with platform-specific size deductions. This change is only a minor mitigation and cannot protect against buffer reallocations by the operating system or non-C++ libraries. Thus, we still cannot guarantee all memory to be wiped after free. As a further improvement, this patch uses libgcrypt and libsodium to write long-lived master key component hashes into a secure memory area and wipe it afterwards. The patch also fixes compiler flags not being set properly on macOS.
phoerious
force-pushed
the
feature/memory-protection-v2
branch
from
8a1be3d
to
cba6c9e
Compare
droidmonkey
added a commit
that referenced
this pull request
May 31, 2019
- Improve resilience against memory attacks - overwrite memory before free [#3020] - Prevent infinite save loop when location is unavailable [#3026] - Attempt to fix quitting application when shutdown or logout issued [#3199] - Support merging database custom data [#3002] - Fix opening URL's with non-http schemes [#3153] - Fix data loss due to not reading all database attachments if duplicates exist [#3180] - Fix entry context menu disabling when using keyboard navigation [#3199] - Fix behaviors when canceling an entry edit [#3199] - Fix processing of tray icon click and doubleclick [#3112] - Update group in preview widget when focused [#3199] - Prefer DuckDuckGo service over direct icon download (increases resolution) [#2996] - Remove apply button in application settings [#3019] - Use winqtdeploy on Windows to correct deployment issues [#3025] - Don't mark entry edit as modified when attribute selection changes [#3041] - Use console code page CP_UTF8 on Windows if supported [#3050] - Snap: Fix locking database with session lock [#3046] - Snap: Fix theming across Linux distributions [#3057] - Snap: Use SNAP_USER_COMMON and SNAP_USER_DATA directories [#3131] - KeeShare: Automatically enable WITH_XC_KEESHARE_SECURE if quazip is found [#3088] - macOS: Fix toolbar text when in dark mode [#2998] - macOS: Lock database on switching user [#3097] - macOS: Fix global Auto-Type when the database is locked [#3138] - Browser: Close popups when database is locked [#3093] - Browser: Add tests [#3016] - Browser: Don't create default group if custom group is enabled [#3127]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Description and Context
To reduce residual fragments of secret data in memory after
deallocation, this patch replaces the global delete operator with a
version that zeros out previously allocated memory. It makes use of
the new C++14 sized deallocation, but provides an unsized fallback
with platform-specific size deductions.
This change is only a minor mitigation and cannot protect against
buffer reallocations by the operating system or non-C++ libraries.
Thus, we still cannot guarantee all memory to be wiped after free.
As a further improvement, this patch uses libgcrypt and libsodium
to write long-lived master key component hashes into a secure
memory area and wipe it afterwards.
Testing strategy
Testing as a major part of 2.4.2
Checklist:
-DWITH_ASAN=ON. [REQUIRED]