Secmalloc - a secure memory library
by David Shaw
Download
secmalloc-0.5.tar.gz
secmalloc-0.5.tar.gz.sig (signed by my key 0x99242560)
What is secure memory?
Most modern systems have some notion of swap, where the contents of
memory can be written to disk, freeing up the memory for other
purposes. This allows the system a lot of flexibility in managing its
memory. Infrequently used data is a prime candidate for swapping to
disk, thus freeing up the real memory for more useful purposes. This
can be a problem when using cryptography as there is a danger of keys
or other sensitive data ending up in swap where (eventually) it may
fall into the wrong hands. Secmalloc provides a secure version of the
common 'malloc' interface for managing memory. All memory allocated
by secmalloc is locked, so that it cannot be swapped out.
Basic instructions
To use the library, create a structure of type struct
secmalloc_config, fill it in, and pass it to secmalloc_init(). After
that, you can call:
void *secmalloc(size_t size); /* use like malloc() */
void *seccalloc(size_t nmemb,size_t size); /* use like calloc() */
void secfree(void *ptr); /* use like free() */
void *secrealloc(void *ptr, size_t size); /* use like realloc() */
Do not pass a malloc()-ed pointer to secfree(), and similarly do not
pass a secmalloc()-ed pointer to free().
More detailed documentation for the different fields of struct
secmalloc_config are in the secmalloc.h header file, and there are
several working code examples in the tests/ directory.
Locking by non-root users
On some platforms, only the root user can lock memory, but programmers
obviously don't always want their programs to run as root. Secmalloc
is designed to be able to handle this via the "initial_pools" option
to secmalloc_init(). Secmalloc will allocate that number of locked
memory pools immediately instead of allocating them as memory is
requested. After secmalloc_init() returns, give up the setuid
privileges. For example:
config.initial_pools=2;
secmalloc_init(&config);
setuid(xxxxx); <---- give up setuid root.
pkg-config
Probably the easiest way to link to secmalloc is via pkg-config. From
the command line:
gcc program.c `pkg-config --cflags --libs secmalloc`
Or via autoconf:
PKG_CHECK_MODULES(SECMALLOC,secmalloc,HAVE_SECMALLOC=yes,HAVE_SECMALLOC=no)
This defines @SECMALLOC_CFLAGS@ and @SECMALLOC_LIBS@ appropriate for use
in your Makefiles. You can also base whatever logic you desire on
$HAVE_SECMALLOC.
Portability
Tested (in that it builds and passes all self tests) on:
- AIX 5.3 (PowerPC)
- HPUX 11.11 (HPPA)
- IRIX 6.5 (MIPS)
- Linux 2.6 (x86)
- OS X "Panther" (PowerPC)
- OS X "Tiger" (PowerPC)
- OS X "Tiger" (x86)
- Solaris 2.10 (x86)
This library was originally a good bit more complex in that it would
try multiple ways to mmap() and round malloc()ed blocks of memory to
fall on page boundaries. In testing, it became clear that this was
not really necessary in practice, as I was not able to find a platform
that the current allocation and locking methods did not work. I'm
releasing this library without the extra complexity as a bit of an
experiment. If you find a platform that does not work (i.e. 'make
check' fails), do let me know, and I'll do my best to make it work
there as well.
Universal Binaries on Apple OS X
You can build a universal ("fat") library that will work on both PPC
and Intel Macs with:
./configure CFLAGS="-arch ppc -arch i386" --disable-dependency-tracking
Note that if you are doing the build on a OS X 10.4 (Tiger) PPC
machine you may need to add the following to those CFLAGS:
"-isysroot /Developer/SDKs/MacOSX10.4u.sdk"
The additional isysroot is not necessary on Intel Tiger boxes, or any
Leopard boxes.
RPMs
Secmalloc ships with a RPM spec file. You can build the RPMs with the
usual "rpmbuild -ta /path/to/the/secmalloc/tarball.tar.gz".