Jump to content
Enpass Discussion Forum

core dumps and the MADV_DONTDUMP flag


sxc4567
 Share

Recommended Posts

Hi there,

I've been an avid Enpass user for many years and I love how it keeps improving!

Recently though, I had a scare: Enpass core-dumped.  This likely wasn't Enpass' own fault as it had been pretty stable until I upgraded my machine to Ubuntu 22.04; after the upgrade, I experienced a definite uptick in crashes with a number of apps that were running fine before.

The main issue here is that Ubuntu decided to upload the crash report (complete with core dump) to their server without so much as notifying, much less prompting me!  When I discovered this a few days later I was livid.  I'm not sure the state Enpass was in when the crash occurred; it was possibly locked on the PIN prompt but it could also have been unlocked. 

I decided the risk was too big and proceeded to change all my passwords!  You can imagine how pleasant and productive an activity this is...

Now that I'm aware of the risk posed by this scenario, I'd like to rest a little easier next time something as drastic as this happens.

Someone on reddit came up with the following tip:

Quote

 

From "man core":

"a core dump may exclude part of the address space of the process if the madvise(2) MADV_DONTDUMP flag was employed."

 

Does Enpass make use of this feature?  If not, could it in the future?  I'd love to get back on the reddit thread to point out that actually my data was safe all along, all thanks to Enpass.

Link to comment
Share on other sites

Hi @sxc4567

I can understand the risks associated with this unfortunate situation. We use both mlock (to exclude memory from swap) and madvice (to exclude memory from dumps) for critical memory allocations. Please read this old reply to understand how much of the sensitive data is available in memory as plain text at a given time and how memory sanitization works in Enpass.

We are continuously working to improve the security of Enpass and prioritized a memory sanitization review task to specifically handle this situation.

Regards,

  • Like 2
  • Thanks 2
Link to comment
Share on other sites

Hi @Vinod Kumar,

Thank you very much for your reply.  I have to say, this sounds really excellent!

I read through the linked thread as well; do I understand correctly that, so long as Enpass is locked (for example at the PIN prompt), there is very little risk of data leakage through memory - aside perhaps from UI libraries that are extremely difficult to control anyway?

  • Like 1
Link to comment
Share on other sites

1 hour ago, sxc4567 said:

Hi @Vinod Kumar,

Thank you very much for your reply.  I have to say, this sounds really excellent!

I read through the linked thread as well; do I understand correctly that, so long as Enpass is locked (for example at the PIN prompt), there is very little risk of data leakage through memory - aside perhaps from UI libraries that are extremely difficult to control anyway?

Locking Enpass with a PIN active doesn't close the database AFAIK. If you lock it without a PIN being set, then it's closed properly. 

In Windows when Full-time TPM support is active, I believe the database is locked properly due to TPM handling the key rather than Enpass itself. 

 

I could be wrong though. 

  • Thanks 2
Link to comment
Share on other sites

Thanks @Ivarson. You are 100% right here. 

@sxc4567PIN locking is a convenience feature and only restricts app access. It does not close the underlaying SQLCipher database handle and an unencrypted database page may still be there in process memory. However, there is an additional level of encryption for the stored passwords with a per item obfuscation key to prevent direct visibility in memory for this case. Though, an attacker with advanced skills can still find the obfuscation keys and decrypt it.

Locking with master password is the safest option for Linux as it will close all underlying resources too.

Cheers:)

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...