"Use secure virtual memory" doesn't encrypt swapfile

Question

Level 1

4 points

"Use secure virtual memory" doesn't encrypt swapfile

System: Fresh install 10.5 with full patches to 10.5.1 G4 iMac.

No matter what I did with the "Use secure virtual memory" option in System Preferences, the -E switch did not get passed to dynamic_pager.

Setting ENCRYPTSWAP=-YES- in /etc/hostconfig also had no effect.

So I forced it in /System/Library/LaunchDaemons/com.apple.dynamic_pager.plist and verified that the -E switch is being passed to the dynamic_pager on startup. Guess what? The swapfile still appears to be in-the-clear.

So I thought the contents of /var/vm/swapfile0 might be left over from a previous boot so I booted into single-user and ran +rm -P /var/vm/swapfile0+ then booted normally. Still appears to be in-the-clear:

root# strings /var/vm/swapfile0 | grep -i password
2/Applications/Utilities/Open Firmware Password.app
*/Applications/Utilities/Reset Password.app
com.apple.openfirmwarepassword[
com.apple.OpenFirmwarePassword
Open Firmware Password
open firmware password.app
Contents/MacOS/Open Firmware Password
com.apple.resetpassword
com.apple.ResetPassword
Reset Password
reset password.app
Contents/Resources/PasswordReset.icns
Contents/MacOS/Reset Password

root# ps -ax | grep dynamic_pager
72 ?? 0:00.01 /sbin/dynamic_pager -E -F /private/var/vm/swapfile

The technical term for this is "BAD."

*Is encrypted swap a feature of Leopard or not?*

I've seen discussions that this also applies to Leopard Server. I haven't looked at Tiger client or server yet.

2.16GHz 20" Core2Duo iMac, 17" G4 iMac upg to 1GB 160GB, Mac OS X (10.5.1)

Posted on Jan 6, 2008 12:29 PM

Reply

Answer 1

Apr 3, 2008 8:07 AM in response to CJLinst

I was looking at this myself, more so because I was having performance issues and wanted to see if secure virtual memory was worth it. I encountered the same issues you had with the "Use secure virtual memory" checkbox. It seems that it isn't working. But then I spent like 5 minutes trying to understand the explanation in help:

Use secure virtual memory: Select “Use secure virtual memory” to erase any information from random-access memory written to the hard disk by virtual memory.

Keyword here is "erase" not necessarily "encrypt". This is my understanding of virtual memory. Let's say you have some application that uses a password. that application gets pushed to virtual memory. You access the application so it gets placed back in RAM. When this happens, and if you have secure virtual memory enabled, it will erase the information from the virtual memory. Without secure virtual memory that information still lingers in there till reboot and the swapfile is cleared. It's not necessarily encrypted though.

Now, why when you specify the -E option and it doesn't encrypt the swapfile I'm not sure. the man page is rather vague, but does say that -E encrypts the swapfile.

Reply

Answer 2

dpg50000

Level 1

0 points

May 28, 2008 3:37 AM in response to vrillusions

According to http://docs.info.apple.com/article.html?path=Mac/10.5/en/11852.html

the virtual memory should be encrypted by selecting this option.

Reply

Answer 3

dpg50000

Level 1

0 points

May 28, 2008 5:05 AM in response to dpg50000

On a related note, I assume using this option slows the MAC down, but can anyone quantify by how much?

Reply

Answer 4

CJLinst Author

Level 1

4 points

Jul 16, 2008 1:59 PM in response to vrillusions

I have had a chance to revisit this and have come to the following conclusions:

1 - The manual page for dynamic_pager(8) is incorrect. The -E option is no longer honored and appears to be silently ignored, or at least overridden by the plist described later. dynamic_pager now gets its instructions as to whether or not to encrypt the swapfile from the /Library/Preferences/com.apple.virtualMemory.plist file. There is a UseEncryptedSwap boolean. The checkbox in System Preferences toggles this bool. This is further confirmed by the absence of the -E option in the output of /sbin/dynamic_pager -\?

2 - dynamic pager appears to have its logic reversed in that when encrypted swap is enabled (UseEncryptedSwap=Yes, which is the case when "Use secure virtual memory" is checked) then dynamic_pager does NOT encrypt the swapfile (running strings on the swapfile yields plain-text results). If UseEncryptedSwap=No, the swapfile appears (to strings) to be encrypted.

This is an extremely unfortunate bug if it actually does what it looks like it's doing. I searched for the source to dynamic_pager but it doesn't look like it's available in the darwin sources.

Message was edited by: CJLinst

Reply

Answer 5

CJLinst Author

Level 1

4 points

Jul 17, 2008 9:35 AM in response to CJLinst

After further testing it does not appear that it's as cut and dried as I expressed above. But there is something apparently very wrong with "Use secure virtual memory."

Unless I should be able to get plain text out of the swapfile when it's enabled.

$ sudo strings -n 15 swapfile2
...
Apple Software1
Software Signing0
http://www.apple.com/appleca/0
Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.0=
, http://www.apple.com/appleca/codesigning.crl0
Apple Certification Authority1301
*Apple Code Signing Certification Authority
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
...
$

Doesn't look like encrypted swap to me.

Reply

Answer 6

Jul 17, 2008 5:48 PM in response to CJLinst

I am skeptical of using strings to determine if the file is encrypted. Just because a swapfile is allocated doesn't mean it is full of swapped pages. Almost certainly, many blocks contain data left over from before the swapfile was created.

When I run strings, I don't see anything sensitive, but I do see things that make no sense being in memory.

Reply

Answer 7

CJLinst Author

Level 1

4 points

Jul 17, 2008 6:26 PM in response to Jeffrey Jones2

I booted single user and cleared out the swapfileX files prior to performing these tests and repeat when necessary.

If swap is encrypted (with, I assume, AES128), it doesn't make any sense to me to find plain-text contents in the swapfiles. It's possible that there will be some discernable patterns in the blocking structure but the actual contents should look like random garbage.

Or are you saying that they might simply be creating the file, then increasing the size to what looks to be 64MB initially without zeroing the data so what I'm seeing might be the contents of the disk blocks that haven't been cleared/written yet? If they're using lseek(2) then all the reads should be returning zeros until something is actually written, and anything written should be encrypted.

If a user can create a file, then lseek to MAXFILESIZE, then read the contents of disk blocks previously allocated to other files, that's another much more serious security issue....

Message was edited by: CJLinst

Reply

Answer 8

Jul 17, 2008 9:34 PM in response to CJLinst

This is, well, interesting to say the least. You might even want to try contacting Apple about this, althought from my experience they generally ignore bug reports...

I'll poke around later today to see if I can reproduce this behavior.

Reply

Answer 9

CJLinst Author

Level 1

4 points

Jul 17, 2008 10:34 PM in response to Tom Ekl?f

Thanks. Some corroborating testing would help. I want to be wrong, to tell you the truth.

I've submitted a bug report but have received nothing. It's only been a couple days though.

Funny that they don't have a "Security" category for bug reports.

Reply

Answer 10

Jul 17, 2008 10:56 PM in response to CJLinst

It does seem that you are right. Even after forcing the -E switch in the dynamic_pager plist, most of the swapfile is quite readable. The contents of the file puzzle me, though. I saw log entries that were several months old, references to directories I know haven't existed in ages and so on.

The bottom line is, the cache file doesn't seem to be getting encrypted. Good luck on trying to get Apple to respond to this, they have an atrocious track record in fixing bugs they deem as minor and I have a feeling this is one of them.

(edit: and I did delete the old swap files before trying any of this out)

Message was edited by: Tom Eklöf

Reply

Answer 11

CJLinst Author

Level 1

4 points

Jul 17, 2008 11:18 PM in response to Tom Ekl?f

The 10.5.2 dynamic_pager.c is available here: http://www.opensource.apple.com/darwinsource/10.5.2/systemcmds-433/dynamic_pager.tproj/dynamicpager.c

The swap files are created using fcntl(2)'s F_SETSIZE.

This system call is only available to root and the man page says it: Truncate[s] a file +without zeroing space+.

This would lead me to believe that Jeffrey Jones2 is probably correct - we're looking at the previous contents of old disk blocks. At least until someone finds actual current pages written to the swapfile unencrypted.

I guess another avenue could be to erase free space and try the test again.

Secure Empty Trash, people. 🙂

Reply

Answer 12

Jul 17, 2008 11:32 PM in response to CJLinst

I don't know too much about SWAP and memory, so correct me if I am wrong.

Even if they are old disk blocks, they can still contain valid information like passwords. Mac OS X should really dump old swap files automatically if that is the case. They are of no use to the system.

However, I do not think they are old swap files per say. They all seem to be in use:

I have 1.5GB swap right now, and 6 swap files, sized (MB):

64 64+128+256+512512

If you add those up, you get a perfect 1.5GB. If my system is using 932MB swap, wouldn't that mean that all of the swap files are in use?

Reply

Answer 13

Jul 17, 2008 11:37 PM in response to Community User

Actually it's just a matter of F_SETSIZE not zeroing the blocks it uses when it allocates file space. Random (well, not really, but random enough) bits and pieces lying in unused parts of the hard drive are allocated "in to" the swap files. If encryption is enabled, all the unencrypted data you see in the swap files are remains of old, deleted files and such.

If you see passwords in that data, it means it was stored somewhere on your disk in plaintext to begin with.

Reply

Answer 14

Jul 17, 2008 11:42 PM in response to Tom Ekl?f

Regardless though, it is still plain-text data, which is still considered a security hole.

I don't know about in Mac OS X (I'm 99% sure it can be done), but in Linux you can put SWAP on its own partition. Would it be possible in OS X to place SWAP in an encrypted disk image? It's still a volume... Set permissions on it so that the system has access, but users don't...

Maybe create some kind of startup script so that after the OS loads, the DMG is decompressed.

Reply

Answer 15

Jul 17, 2008 11:46 PM in response to Community User

Well, since the data was on the hard drive in plaintext anyhow, I don't see it as that big of a security hole. If it's sensitive data, it shouldn't have been

a) unencrypted
b) deleted by just unlinking

in the first place.

I still think the space used by swap files should (at least) be zeroed, though, since there's no telling what blocks get allocated to them.

Reply