MemGuard- Safe Software program Enclave For Storage of Delicate Data in Reminiscence
This bundle makes an attempt to scale back the chance of delicate knowledge being uncovered. It helps all main working programs and is written in pure Go.
Options
- Delicate knowledge is encrypted and authenticated in reminiscence utilizing xSalsa20 and Poly1305 respectively. The scheme additionally defends in opposition to cold-boot assaults.
- Reminiscence allocation bypasses the language runtime through the use of system calls to question the kernel for assets straight. This avoids interference from the garbage-collector.
- Buffers that retailer plaintext knowledge are fortified with guard pages and canary values to detect spurious accesses and overflows.
- Effort is taken to stop delicate knowledge from touching the disk. This consists of locking reminiscence to stop swapping and dealing with core dumps.
- Kernel-level immutability is carried out in order that tried modification of protected areas ends in an entry violation.
- A number of endpoints present session purging and secure termination capabilities in addition to sign dealing with to stop remnant knowledge being left behind.
- Aspect-channel assaults are mitigated in opposition to by ensuring that the copying and comparability of knowledge is finished in constant-time.
- Unintended reminiscence leaks are mitigated in opposition to by harnessing the garbage-collector to mechanically destroy containers which have grow to be unreachable.
Some options had been impressed by libsodium, so credit to them.
Full documentation and a whole overview of the API will be discovered here. Fascinating and helpful code samples will be discovered inside the examples subpackage.
Set up
$ go get github.com/awnumar/memguard
We strongly encourage you to pin a selected model for a clear and dependable construct. This may be completed utilizing modules.
Contributing
- Utilizing the bundle and figuring out factors of friction.
- Studying the supply code and on the lookout for enhancements.
- Including fascinating and helpful program samples to ./examples.
- Growing Proof-of-Idea assaults and mitigations.
- Bettering compatibility with extra kernels and architectures.
- Implementing kernel-specific and cpu-specific protections.
- Writing helpful safety and crypto libraries that utilise memguard.
- Submitting efficiency enhancements or benchmarking code.
Points are for reporting bugs and for dialogue on proposals. Pull requests must be made in opposition to grasp.
Future targets
- Skill to stream knowledge to and from encrypted enclave objects.
- Catch segmentation faults to wipe reminiscence earlier than crashing.
- Consider and enhance the methods in place, notably for Coffer objects.
- Formalise a menace mannequin and consider our efficiency with regard to it.
- Use classes realized to use patches upstream to the Go language and runtime.
