[Security] Improve plain text password handling in code

sssd-bot commented 4 years ago

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3956

Created at 2019-02-15 06:00:15 by huzaifas
Assigned to atikhonov

This is about: https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/

After some discussions i think we can make this better my using the following:

Use PR_SET_DUMPABLE for pages which have passwords etc, to ensure that coredumps dont contain cleartext passwords.
Use SGX when available https://en.wikipedia.org/wiki/Software_Guard_Extensions
Lastly and more importantly fedora has explicit_bzero which you should use rather manually scrub memory. Please see https://www.gnu.org/software/libc/manual/html_node/Erasing-Sensitive-Data.html This is not optimized by the compiler.

Comments

Comment from atikhonov at 2019-11-19 15:24:22

Metadata Update from @atikhonov:

Issue assigned to atikhonov

Comment from atikhonov at 2019-11-28 22:41:28

PR https://github.com/SSSD/sssd/pull/948 partially addresses item (3)

Comment from pbrezina at 2019-11-29 11:23:38

Commit 0a6fdec5 relates to this ticket

Comment from pbrezina at 2019-11-29 11:23:38

Commit 109c21ef relates to this ticket

Comment from pbrezina at 2019-11-29 11:23:39

Commit ad1ae003 relates to this ticket

Comment from pbrezina at 2019-11-29 11:23:39

Commit 275e062b relates to this ticket

Comment from pbrezina at 2019-11-29 11:23:40

Commit 0165ef11 relates to this ticket

Comment from pbrezina at 2019-11-29 11:23:40

Commit f2245b53 relates to this ticket

Comment from pbrezina at 2019-11-29 11:27:20

master
- 0a6fdec57fe90682f6ca9ce1047a3456a06b3c42 - LDAP: proper handling of master password
- 109c21ef6630b9b91856cab6806f8f2d88f257e4 - util/authtok: set destructor in sss_authtok_new()
- ad1ae003e34d90840fc5e010fa0d6f002cb82933 - db/sysdb_ops: proper zeroization of sensitive data
- 275e062b22e829fadb38bdaadb16fe4ab23357bc - util/sha512_crypt_r: proper zeroization of sensitive data
- 1f667ea3d3f4074cc7a43e4b39f10dd767227172 - util/sha512_crypt_r: removed misleading comments
- 78127eaeee25bf6f6a9777f231de116f49d744e5 - util/sha512_crypt_r: got rid of redundant mem align
- be7f7312700512101a489778a01c11078d58fdad - util: fixed potential mem leak in s3crypt_gen_salt()
- 0165ef119a90def13bb1b5be3f4bbf7c552ceb61 - tools/sss_seed: proper zeroization of sensitive data
- f2245b53b402025712e32db03dbf9e46d753bd8b - util/memory: helper(s) to securely erase mem was reworked
- b72c4fa8a26e4ef8fbc98b15cd98bf59fe3293de - util/memory: sanitization

Comment from pbrezina at 2020-03-13 14:48:10

Alexey, did the patches fix this ticket? If yes, please close it.

Comment from pbrezina at 2020-03-13 14:48:11

Metadata Update from @pbrezina:

Issue tagged with: Future milestone

Comment from atikhonov at 2020-03-13 15:34:45

Alexey, did the patches fix this ticket?

No. Only item (3) is partially addressed. Another question if we want (1) and (2) to be done.

alexey-tikhonov commented 2 years ago

Use SGX when available

"A pivot by Intel in 2021 resulted in the deprecation of SGX from the 11th and 12th generation Intel Core Processors, but development continues on Intel Xeon for cloud and enterprise use."

Feature is difficult to use. Taking into account limited set of platform that has hw support, benefits are very questionable.

alexey-tikhonov commented 2 years ago

1. Use PR_SET_DUMPABLE for pages which have passwords etc, to ensure
   that coredumps dont contain cleartext passwords.

I don't find a way to set PR_SET_DUMPABLE on a per page basis. Only for entire process. Having coredumps disabled unconditionally would be impractical, as it would make debugging very difficult. But perhaps we can have such a hardening option.

alexey-tikhonov commented 2 years ago

Pushed PR: https://github.com/SSSD/sssd/pull/6184

master
- 94352a9fb35e405115733b287972988b02c1a54b - New option for system hardening.

SSSD / sssd

[Security] Improve plain text password handling in code #4930

Comments