Ubuntu

unswappable pages are swapped out during hibernation

Reported by Robert Collins on 2006-11-07
258
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Wishlist
Unassigned

Bug Description

pages marked as unswappable because they contain sensitive data - i.e. cached passwords or key data (see for instance ssh-agent, gnome-keyring, evolution) are paged out during hibernation.

This is a security vulnerability for two reasons. The first is that access to a running machine can be acquired by triggering a hibernation e.g. when the battery is low due to policy, or if there is a hot-key configured to do that. The access is acquirable by examing the suspended kernel image. The second is that password or unencrypted key data has been written to disk and thus may be recoverable by disk forensics - but this is a much less severe consideration (folk concerned about secure disposal of hardware are likely to have other data to dispose of anyway).

Kees Cook (kees) wrote :

Agreed. As far as I've been able to see, fixing this requires some closer integration of cryptsetup, by-default encrypted swap, and initramfs changes.

On Tue, 2006-11-21 at 01:26 +0000, Kees Cook wrote:
> Agreed. As far as I've been able to see, fixing this requires some
> closer integration of cryptsetup, by-default encrypted swap, and
> initramfs changes.

Interesting approach :). We'll still want something to avoid disclosure
on non-encrypted swap though right ? (because of the bazjillion existing
installs).

Rob
--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

Jamie Strandboge (jdstrand) wrote :

Is this still an issue on Gutsy?

Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!.

Robert Collins (lifeless) wrote :

 status new

trollord (trollenlord) wrote :

Take a look at https://bugs.launchpad.net/ubuntu/+bug/196368 , the hdd encryption passwords indeed are cleartext in memory.

Robert, is this still a problem in the current release? I noticed you've reopened the bug report but still failed to provide any information as to why or a demonstration of the problem.

Robert Collins (lifeless) wrote :

On Fri, 2008-06-06 at 17:47 +0000, Patrick Kilgore wrote:
> Robert, is this still a problem in the current release? I noticed you've
> reopened the bug report but still failed to provide any information as
> to why or a demonstration of the problem.

Because the information is already there - the issue is documented, etc.

-Rob

--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

The Ubuntu Kernel Team is planning to move to the 2.6.27 kernel for the upcoming Intrepid Ibex 8.10 release. As a result, the kernel team would appreciate it if you could please test this newer 2.6.27 Ubuntu kernel. There are one of two ways you should be able to test:

1) If you are comfortable installing packages on your own, the linux-image-2.6.27-* package is currently available for you to install and test.

--or--

2) The upcoming Alpha5 for Intrepid Ibex 8.10 will contain this newer 2.6.27 Ubuntu kernel. Alpha5 is set to be released Thursday Sept 4. Please watch http://www.ubuntu.com/testing for Alpha5 to be announced. You should then be able to test via a LiveCD.

Please let us know immediately if this newer 2.6.27 kernel resolves the bug reported here or if the issue remains. More importantly, please open a new bug report for each new bug/regression introduced by the 2.6.27 kernel and tag the bug report with 'linux-2.6.27'. Also, please specifically note if the issue does or does not appear in the 2.6.26 kernel. Thanks again, we really appreicate your help and feedback.

Daniel T Chen (crimsun) on 2008-09-18
Changed in linux:
assignee: nobody → ubuntu-kernel-team
status: New → Confirmed
Felipe Figueiredo (philsf) wrote :

Kees,

wouldn't activating swap encryption by default render hibernation impossible in the first case?

Kees Cook (kees) wrote :

Felipe, there are two ways to do encrypted swap: with a random key, and with a LUKs-protected passphrase (or a raw passphrase). When not random, the swap can be decrypted and un-hibernated from.

Changed in linux (Ubuntu):
importance: Undecided → Wishlist
Changed in linux (Ubuntu):
assignee: Ubuntu Kernel Team (ubuntu-kernel-team) → nobody
tags: added: kernel-key
tags: removed: kernel-key
Phillip Susi (psusi) wrote :

This isn't a bug in the kernel. If you are going to use hibernation, everything has to be written to swap. If you want to protect that, then encrypt your swap.

Changed in linux (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers