subject:"Re\: \[sqlite\] Best way to wipe out data of a closed database"

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Max Vlasov

On Mon, Oct 24, 2016 at 4:28 PM, Wade, William  wrote:
> It sounds like you've got a way forward on leaks via the malloc() system 
> within the process space.
>
> 1) The region of the C process stack that was reached by some deep call stack.
> 2) Processor registers.
> 3) Process pages that were copied to disk by the OS (this could be a problem 
> even if you otherwise have a good handle on clearing malloc() blocks).
>

Good points, thanks, especially (3) as having more likely scenario to
contain all kind of data and lengths. Probably in case of predictable
memory requirements this one can be handled by providing zero-malloc
implementation with a physically locked region of memory (in case of
Windows - VirualLock API).
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Wade, William

It sounds like you've got a way forward on leaks via the malloc() system within 
the process space.

Be aware that depending on your system (and the attackers' capabilities), you 
might have to worry about other leaks. For instance, if I did a query that 
involved a FLOAT index, and then closed the sqlite session and cleared the 
zero-malloc block, it wouldn't be at all surprising if some float values 
related to database contents, or to my query, were still in

1) The region of the C process stack that was reached by some deep call stack.
2) Processor registers.
3) Process pages that were copied to disk by the OS (this could be a problem 
even if you otherwise have a good handle on clearing malloc() blocks).

Regards,
Bill

-Original Message-
From: Max Vlasov [mailto:max.vla...@gmail.com]
Subject: [sqlite] Best way to wipe out data of a closed database

Hi,

in an application that implements encryption/decryption with VFS, what is the 
best way to ensure that the memory of the application doesn't contain decrypted 
data after the database is closed. So no side application could retrieve 
sensitive information by reading this process memory. Not only the base as a 
whole but also fragments of database sectors anywhere in the process memory 
space.

One of the trick possible is to add additional zeroing out to the global free 
handler, but this can probably introduce performance penalties.

Is there any other way to do this?

Thanks,

Max


**
This e-mail and any attachments thereto may contain confidential information 
and/or information protected by intellectual property rights for the exclusive 
attention of the intended addressees named above. If you have received this 
transmission in error, please immediately notify the sender by return e-mail 
and delete this message and its attachments. Unauthorized use, copying or 
further full or partial distribution of this e-mail or its contents is 
prohibited.
**
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Max Vlasov

On Mon, Oct 24, 2016 at 1:36 PM, Richard Hipp  wrote:
>
> Memsys5 is also faster than your global system memory allocator
> (before the extra overhead of zeroing, at least).  But on the other
> hand, you have to know the maximum amount of memory SQLite will want
> at the very beginning, and that memory will be used only by SQLite and
> not other parts of your application, so memory utilization is not as
> efficient.
>

Thanks, I understand the risks and benefits, so probably it will be
either zero-malloc allocator or my own allocator replacement.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Max Vlasov

Simon, thanks
never heard of secure_delete, interesting, but probably no use in case
of VFS Layer that leaves only encrypted data on disk.
As for zero-malloc option, it looks promising.

On Mon, Oct 24, 2016 at 1:34 PM, Simon Slavin  wrote:
>
> On 24 Oct 2016, at 9:58am, Max Vlasov  wrote:
>
>> in an application that implements encryption/decryption with VFS, what
>> is the best way to ensure that the memory of the application doesn't
>> contain decrypted data after the database is closed.
>
> We can't answer about memory that your own application handles, of course.
>
> To ensure zeroing out of memory I suggest you use the zero-malloc option as 
> provided by SQLite's memory allocator.  For more details on them see sections 
> 3.1.4 and 3.1.5 of
>
> 
>
> It's also worth noting here that SQLite has the following PRAGMA:
>
> PRAGMA schema.secure_delete = boolean
>
> which zeros space in files.  However I don't remember this working by zeroing 
> out the memory copy of the file then writing that block to disk.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Richard Hipp

On 10/24/16, Max Vlasov  wrote:
>
> One of the trick possible is to add additional zeroing out to the
> global free handler, but this can probably introduce performance
> penalties.
>
> Is there any other way to do this?

If you set up to use memsys5 at compile-time
(https://www.sqlite.org/malloc.html#zero_malloc_memory_allocator) then
after all use of SQLite has ended, you are left with a single big
chunk of memory that can be zeroed.

Memsys5 is also faster than your global system memory allocator
(before the extra overhead of zeroing, at least).  But on the other
hand, you have to know the maximum amount of memory SQLite will want
at the very beginning, and that memory will be used only by SQLite and
not other parts of your application, so memory utilization is not as
efficient.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

2016-10-24 Thread Simon Slavin

On 24 Oct 2016, at 9:58am, Max Vlasov  wrote:

> in an application that implements encryption/decryption with VFS, what
> is the best way to ensure that the memory of the application doesn't
> contain decrypted data after the database is closed.

We can't answer about memory that your own application handles, of course.

To ensure zeroing out of memory I suggest you use the zero-malloc option as 
provided by SQLite's memory allocator.  For more details on them see sections 
3.1.4 and 3.1.5 of

It's also worth noting here that SQLite has the following PRAGMA:

PRAGMA schema.secure_delete = boolean

which zeros space in files.  However I don't remember this working by zeroing 
out the memory copy of the file then writing that block to disk.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Best way to wipe out data of a closed database

Re: [sqlite] Best way to wipe out data of a closed database

Re: [sqlite] Best way to wipe out data of a closed database

Re: [sqlite] Best way to wipe out data of a closed database

Re: [sqlite] Best way to wipe out data of a closed database

Re: [sqlite] Best way to wipe out data of a closed database

6 matches

Site Navigation

Mail list logo

Footer information