Does Vault leak secrets in core dumps?

402 views
Skip to first unread message

Pinku Surana

unread,
Apr 12, 2017, 11:06:39 PM4/12/17
to Vault
I was looking through the code and noticed Vault uses mlock. I assume this is so the keys aren't accidentally saved to swap. However, is there any precaution against keys showing up in core dumps? I'm wondering if on Linux using madvise's MADV_DONTDUMP could prevent this. Or is there a recommended way to prevent core dumps?

Thanks.

Michael Fischer

unread,
Apr 12, 2017, 11:23:50 PM4/12/17
to vault...@googlegroups.com
Vault uses the mlock(2) syscall to prevent pages from being swapped to disk.  

See https://www.vaultproject.io/docs/configuration/index.html#disable_mlock for more details, and how to ensure Vault can run that syscall (that's normally privileged) without needing to run as the root user.

Best regards,

--Michael

On Wed, Apr 12, 2017 at 8:06 PM, Pinku Surana <sur...@gmail.com> wrote:
I was looking through the code and noticed Vault uses mlock. I assume this is so the keys aren't accidentally saved to swap. However, is there any precaution against keys showing up in core dumps? I'm wondering if on Linux using madvise's MADV_DONTDUMP could prevent this. Or is there a recommended way to prevent core dumps?

Thanks.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5b907cee-a883-4f8b-9b7b-d11caa7343dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Matthew Irish

unread,
Apr 13, 2017, 12:03:35 PM4/13/17
to vault...@googlegroups.com
Hi Pinku, 

Please also check out https://www.vaultproject.io/docs/internals/security.html - it explains more about Vault's threat model. A core dump would not be covered in this threat model, here's the specific quote about it being outside of Vault's threat model from that page: 

    Protecting against memory analysis of a running Vault. If an attacker is able to inspect the memory state of a running Vault   

    instance then the confidentiality of data may be compromised.

thanks,

Matthew


On Wed, Apr 12, 2017 at 10:23 PM 'Michael Fischer' via Vault <vault...@googlegroups.com> wrote:
Vault uses the mlock(2) syscall to prevent pages from being swapped to disk.  

See https://www.vaultproject.io/docs/configuration/index.html#disable_mlock for more details, and how to ensure Vault can run that syscall (that's normally privileged) without needing to run as the root user.

Best regards,

--Michael
On Wed, Apr 12, 2017 at 8:06 PM, Pinku Surana <sur...@gmail.com> wrote:
I was looking through the code and noticed Vault uses mlock. I assume this is so the keys aren't accidentally saved to swap. However, is there any precaution against keys showing up in core dumps? I'm wondering if on Linux using madvise's MADV_DONTDUMP could prevent this. Or is there a recommended way to prevent core dumps?

Thanks.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5b907cee-a883-4f8b-9b7b-d11caa7343dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CABHxtY5cQ%2BNFizv9zs4Djdc3muDZf2sCuSEXP6ojr%2BxvTdaB1Q%40mail.gmail.com.

Jeff Mitchell

unread,
Apr 13, 2017, 1:10:28 PM4/13/17
to Vault
Hi Pinku,

Generally speaking Go will not generate core dumps on a crash, although this is controllable via the GOTRACEBACK environment variable, so there is currently some administrative control over whether core dumps occur (and they do not by default).

Best,
Jeff

On Thu, Apr 13, 2017 at 12:03 PM, Matthew Irish <mat...@hashicorp.com> wrote:
Hi Pinku, 

Please also check out https://www.vaultproject.io/docs/internals/security.html - it explains more about Vault's threat model. A core dump would not be covered in this threat model, here's the specific quote about it being outside of Vault's threat model from that page: 

    Protecting against memory analysis of a running Vault. If an attacker is able to inspect the memory state of a running Vault   

    instance then the confidentiality of data may be compromised.

thanks,

Matthew

On Wed, Apr 12, 2017 at 10:23 PM 'Michael Fischer' via Vault <vault...@googlegroups.com> wrote:
Vault uses the mlock(2) syscall to prevent pages from being swapped to disk.  

See https://www.vaultproject.io/docs/configuration/index.html#disable_mlock for more details, and how to ensure Vault can run that syscall (that's normally privileged) without needing to run as the root user.

Best regards,

--Michael
On Wed, Apr 12, 2017 at 8:06 PM, Pinku Surana <sur...@gmail.com> wrote:
I was looking through the code and noticed Vault uses mlock. I assume this is so the keys aren't accidentally saved to swap. However, is there any precaution against keys showing up in core dumps? I'm wondering if on Linux using madvise's MADV_DONTDUMP could prevent this. Or is there a recommended way to prevent core dumps?

Thanks.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAM6U7_PQmsjJmywbAdgCLzanBemKUQH7uMt%2B3W7AaYYvUMiO4A%40mail.gmail.com.

Michael Fischer

unread,
Apr 13, 2017, 1:15:57 PM4/13/17
to vault...@googlegroups.com
Apologies for the original non-answer of your question :)

One thing can do is set a corefilesize ulimit of 0, which will guarantee a corefile will not be generated.

If you're using systemd, you can set LimitCORE=0 (see https://www.freedesktop.org/software/systemd/man/systemd.exec.html).

(Maybe a sample systemd unit file is worth adding to the source distribution?)

--Michael


To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GH05Md-aFdHpJRct41upxaO4RxyQL4fHk%2BR84Ee2eaziQ%40mail.gmail.com.

Pinku Surana

unread,
Apr 13, 2017, 3:59:54 PM4/13/17
to Vault
Thanks for the info. We'll config our system to prevent core dumps. 

However, why not add "madvise"? The libsodium library does everything correctly here. If they can do it, surely you can too. :-) 


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

Michael Fischer

unread,
Apr 13, 2017, 4:17:34 PM4/13/17
to vault...@googlegroups.com
Go's syscall package doesn't yet support that constant (see https://golang.org/pkg/syscall/#pkg-constants).  

Also, MADV_DONTDUMP was added in Linux 3.4+; there are still long-term supported Linux distributions that run 3.2 and even 2.7 series kernels.  So kernel-specific Vault packages would have to be created, and Vault linked with cgo in order to determine whether it's supported at compile time...


To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/19fc1865-226b-4f1f-9859-9e10e5e35e5b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages