Memguard : Secure Software Enclave For Storage Of Sensitive Information In Memory

MemGuard secure software enclave for storage of sensitive information in memory. This package attempts to reduce the likelihood of sensitive data being exposed. It supports all major operating systems and is written in pure Go.

Features

  • Sensitive data is encrypted and authenticated in memory using xSalsa20 and Poly1305 respectively. The scheme also defends against cold-boot attacks.
  • Memory allocation bypasses the language runtime by using system calls to query the kernel for resources directly. This avoids interference from the garbage-collector.
  • Buffers that store plaintext data are fortified with guard pages and canary values to detect spurious accesses and overflows.
  • Effort is taken to prevent sensitive data from touching the disk. This includes locking memory to prevent swapping and handling core dumps.
  • Kernel-level immutability is implemented so that attempted modification of protected regions results in an access violation.
  • Multiple endpoints provide session purging and safe termination capabilities as well as signal handling to prevent remnant data being left behind.
  • Side-channel attacks are mitigated against by making sure that the copying and comparison of data is done in constant-time.
  • Accidental memory leaks are mitigated against by harnessing the garbage-collector to automatically destroy containers that have become unreachable.

Some features were inspired by libsodium, so credits to them.

Full documentation and a complete overview of the API can be found here. Interesting and useful code samples can be found within the examples subpackage.

Also Read – RedGhost : Linux Post Exploitation Framework

Installation

$ go get github.com/awnumar/memguard

We strongly encourage you to pin a specific version for a clean and reliable build. This can be accomplished using modules.

Contributing

  • Using the package and identifying points of friction.
  • Reading the source code and looking for improvements.
  • Adding interesting and useful program samples to ./examples.
  • Developing Proof-of-Concept attacks and mitigations.
  • Improving compatibility with more kernels and architectures.
  • Implementing kernel-specific and cpu-specific protections.
  • Writing useful security and crypto libraries that utilise memguard.
  • Submitting performance improvements or benchmarking code.

Issues are for reporting bugs and for discussion on proposals. Pull requests should be made against master.

Future Goals

  • Ability to stream data to and from encrypted enclave objects.
  • Catch segmentation faults to wipe memory before crashing.
  • Evaluate and improve the strategies in place, particularly for Coffer objects.
  • Formalise a threat model and evaluate our performance in regards to it.
  • Use lessons learned to apply patches upstream to the Go language and runtime.
R K

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

7 days ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

7 days ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

7 days ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

7 days ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

1 week ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

1 week ago