Peter Gutmann wrote: > So was this a case of "recover data from an active app's memory image" > (not surprising) or "recover data after the app has exited" > (surprising, at least for the crypto apps)?
For this paper, I specifically examined the case where memory was dumped while the applications were still active. The snapshots were taken up to 45 minutes after the passwords were entered. (See Appendix A for the full testing procedure.) Given that users keep applications such as SSH, Truecrypt, email, etc open for a significant percentage of time that they use their systems, I do think it's important for applications to zero sensitive data immediately after it is used rather than waiting until the process is closed. Also, as you point out, there were passwords such as SSH and root which were retained outside of the application's memory. I also did some preliminary experiments to test whether passwords remained in memory after the applications were closed. However, I decided to wait until the Princeton/EFF/Wind River folks released their memory dumper code before analyzing this in detail. As described in the paper, there are now annoying limitations on access to /dev/mem in Linux, so I thought it would be best to approach this particular question by getting a full memory image using cold boot techniques. As a next step, it would be great to follow the same procedure, but image all of memory after the applications have been closed. Using Jake Appelbaum and co's newly released memory imaging tools would probably be an easy way to get full memory dumps from any OS: http://citp.princeton.edu/memory/code/ Based on your feedback, I've updated section 2 and the abstract to clarify: http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf Thanks for your comments, Sherri -- http://philosecurity.org --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]