Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve resilience against memory attacks #3020

Merged
merged 1 commit into from Apr 21, 2019

Conversation

2 participants
@droidmonkey
Copy link
Member

commented Apr 17, 2019

Type of change

  • Refactor (significant modification to existing code)

Description and Context

To reduce residual fragments of secret data in memory after
deallocation, this patch replaces the global delete operator with a
version that zeros out previously allocated memory. It makes use of
the new C++14 sized deallocation, but provides an unsized fallback
with platform-specific size deductions.

This change is only a minor mitigation and cannot protect against
buffer reallocations by the operating system or non-C++ libraries.
Thus, we still cannot guarantee all memory to be wiped after free.

As a further improvement, this patch uses libgcrypt and libsodium
to write long-lived master key component hashes into a secure
memory area and wipe it afterwards.

Testing strategy

Testing as a major part of 2.4.2

Checklist:

  • I have read the CONTRIBUTING document. [REQUIRED]
  • My code follows the code style of this project. [REQUIRED]
  • All new and existing tests passed. [REQUIRED]
  • I have compiled and verified my code with -DWITH_ASAN=ON. [REQUIRED]
  • My change requires a change to the documentation, and I have updated it accordingly.
  • I have added tests to cover my changes.

@droidmonkey droidmonkey added this to the v2.4.2 milestone Apr 17, 2019

@droidmonkey droidmonkey requested review from phoerious, louib and varjolintu Apr 17, 2019

@phoerious phoerious force-pushed the feature/memory-protection-v2 branch 3 times, most recently from d637fd0 to 6a42e1a Apr 20, 2019

@phoerious
Copy link
Member

left a comment

Please have another look. It's ready to ship from my side.

@phoerious phoerious force-pushed the feature/memory-protection-v2 branch from 6a42e1a to 477d4fe Apr 20, 2019

@droidmonkey
Copy link
Member Author

left a comment

We need to include "libsodium" as a required dependency. So need to update INSTALL.MD and the Wiki.

Show resolved Hide resolved src/browser/CMakeLists.txt Outdated
Show resolved Hide resolved src/keys/PasswordKey.h

@phoerious phoerious force-pushed the feature/memory-protection-v2 branch 2 times, most recently from d35e94d to 21372f9 Apr 20, 2019

@droidmonkey

This comment has been minimized.

Copy link
Member Author

commented Apr 20, 2019

Looks good to me. Do we need to add "Alloc.cpp" to all the intermediate libraries? You added it to Browser but I would think it would come as part of linking against Core.

@phoerious phoerious force-pushed the feature/memory-protection-v2 branch from 21372f9 to 8a1be3d Apr 20, 2019

@phoerious

This comment has been minimized.

Copy link
Member

commented Apr 20, 2019

It should be enough to build it into the main library as it's applied during link time. I added it to browser, because it didn't link against the core lib, but the core lib is linking against browser, of course. So it's actually redundant here. I did add it to the proxy, though, since that one's a standalone binary that doesn't link against core.

Improve resilience against memory attacks
To reduce residual fragments of secret data in memory after
deallocation, this patch replaces the global delete operator with a
version that zeros out previously allocated memory. It makes use of
the new C++14 sized deallocation, but provides an unsized fallback
with platform-specific size deductions.

This change is only a minor mitigation and cannot protect against
buffer reallocations by the operating system or non-C++ libraries.
Thus, we still cannot guarantee all memory to be wiped after free.

As a further improvement, this patch uses libgcrypt and libsodium
to write long-lived master key component hashes into a secure
memory area and wipe it afterwards.

The patch also fixes compiler flags not being set properly on macOS.

@phoerious phoerious force-pushed the feature/memory-protection-v2 branch from 8a1be3d to cba6c9e Apr 20, 2019

@droidmonkey droidmonkey merged commit 13eb1c0 into release/2.4.2 Apr 21, 2019

3 checks passed

MacOS (KeepassXC) TeamCity build finished
Details
Ubuntu Linux (KeepassXC) TeamCity build finished
Details
Windows 10 (KeepassXC) TeamCity build finished
Details

@droidmonkey droidmonkey deleted the feature/memory-protection-v2 branch Apr 21, 2019

droidmonkey added a commit that referenced this pull request May 31, 2019

Release 2.4.2
- Improve resilience against memory attacks - overwrite memory before free [#3020]
- Prevent infinite save loop when location is unavailable [#3026]
- Attempt to fix quitting application when shutdown or logout issued [#3199]
- Support merging database custom data [#3002]
- Fix opening URL's with non-http schemes [#3153]
- Fix data loss due to not reading all database attachments if duplicates exist [#3180]
- Fix entry context menu disabling when using keyboard navigation [#3199]
- Fix behaviors when canceling an entry edit [#3199]
- Fix processing of tray icon click and doubleclick [#3112]
- Update group in preview widget when focused [#3199]
- Prefer DuckDuckGo service over direct icon download (increases resolution) [#2996]
- Remove apply button in application settings [#3019]
- Use winqtdeploy on Windows to correct deployment issues [#3025]
- Don't mark entry edit as modified when attribute selection changes [#3041]
- Use console code page CP_UTF8 on Windows if supported [#3050]
- Snap: Fix locking database with session lock [#3046]
- Snap: Fix theming across Linux distributions [#3057]
- Snap: Use SNAP_USER_COMMON and SNAP_USER_DATA directories [#3131]
- KeeShare: Automatically enable WITH_XC_KEESHARE_SECURE if quazip is found [#3088]
- macOS: Fix toolbar text when in dark mode [#2998]
- macOS: Lock database on switching user [#3097]
- macOS: Fix global Auto-Type when the database is locked [#3138]
- Browser: Close popups when database is locked [#3093]
- Browser: Add tests [#3016]
- Browser: Don't create default group if custom group is enabled [#3127]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.