[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 19:30:42 +0200

On 12.04.2011 19:25, Simon Large wrote:
> On 12 April 2011 17:55, Dale McCoy<dalestan_at_gmail.com> wrote:
>> On Tue, Apr 12, 2011 at 08:24, John McNamee<jpm_at_microwiz.com> wrote:
>>> Stefan Küng<tortoisesvn_at_gmail.com> wrote:
>>>> If you're system is configured so that users actually can open and
>>>> read the paging file you don't need to worry about security issues
>>>> anymore. Because you don't have any security at all and therefore
>>>> can't have any issues with it. Can't have an issue with something that
>>>> doesn't exist.
>>> The issue is not what happens while the OS is running. Proper configuration
>>> should prevent any information leaks, and improper configuration means you've
>>> already lost.
>>> The problem is what happens if an attacker can examine the disk while the OS
>>> is offline. There have been too many examples of laptops being lost/stolen
>>> with sensitive data on them to dismiss this scenario.
>> I'd say this is another case of improper configuration. If any
>> non-root user can read your pagefile, regardless of the circumstances,
>> then you have no security.
>> If this is a problem, then you need to either prevent physical access
>> to the hardware or apply a configuration that prevents root privileges
>> from being acquired even with the benefit of physical access. Or both.
> This is not talking about normal OS consumers being able to read the
> page file. If you boot from CD into Linux and look at the drive as a
> raw device you can see its content. No OS can protect you from that.

And no normal process can prevent that its memory can be stored in the
page file.
But let's be serious: if you can boot the computer with another OS, all
your data is not protected anymore anyway. Basically, in such a
situation you don't own your PC anymore.


   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 19:30:55 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.