#7003: Wipe relay keys on common crash conditions
---------------------------------------------+------------------------------
Reporter: mikeperry | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: Tor:
0.2.4.x-final
Component: Tor Relay | Version:
Keywords: MikePerry201212, small-feature | Parent: #5456
Points: | Actualpoints:
---------------------------------------------+------------------------------
Tor should wipe key material before common crash conditions, to avoid key
material leak in the case where relay operators have otherwise taken steps
to keep key material off of disk.
There are two vectors towards obtaining key material after crash: core
files, and large mmap attempts by other users' processes.
It turns out many OS kernels do not provide ways to defend against the
latter case. Therefore, tor should attempt to wipe sensitive key material
on atexit, SIGSEGV, SIGBUS, tor_assert() and other common exit conditions.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7003>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
