[guardian-dev] It's Native all the Way Down
Abel Luck
abel at guardianproject.info
Fri Jun 7 09:36:36 EDT 2013
Daniel McCarney:
> Hey Abeluck,
>
> I started thinking about improving the cacheword buffer handling for the
> user secret and derived key.
>
> For lack of a better place to put it I stuck a Markdown file[1] in my
> fork's current branch discussing the problems we face and some potential
> approaches to dealing with them.
>
> Thoughts welcome. I'm going to work on a patch for Approach 2 (since
> it's so quick). I think Approach 3 is better long term. We should
> discuss the best way to move forward on that front if you agree.
>
> Thanks!
>
> - Dan (pd0x on Freenode, @cpu on twitter)
>
> [1]
> https://github.com/binaryparadox/cacheword/blob/secbufs/SECURE_BUFFERS.md
>
> P.s. If you think this is appropriate/interesting to the larger
> [guardian-dev] list I'd be happy to see it forwarded there.
>
Looping in guardian-dev, as I'm hardly qualified to be making decisions
like this in isolation, so the more exposure the better :)
I definitely think Approach 3 is better, and we should focus efforts on
implementing it. I've considered implementing direct ByteBuffers (#2),
but held off because #3 is where we really need to go.
Paging/Swap: The Android kernel does not swap memory to disk [1], for
now. Occasionally I see chatter on android-kernel talking about
implementing it, but nothing concrete. So, that's one advantage we have
at the moment.
We should evaluate the secmem [2] library used by GnuPG for this purpose.
I love the idea of implementing a native "Secure"TextEdit to use for
password prompts, but I'm not sure it is worth the effort. This is a
large hole, and we have to decide how much effort its worth chasing the
rabbit down there, especially considering we know we can't "win" and
this is essentially security-through-obscurity.
I've only cursorily examined the sources for the EditText widget, so I'm
not yet sure how much time will be needed to produce a "more secure"
version.
If you want to take up implementing this in CacheWord, I could spend
time getting the app integration layer working right. I integrated
Cacheword into a non-trivial app codebase, and concluded I need to
significantly refactor the API, which mostly independent from the secure
mem layer.
.oO( Btw, if someone out there wants to toss Guardian Project a
cellbrite forensics device, or a cool $10k to buy one, we'd love to do
research with it! )
~abel
[1]:
https://groups.google.com/forum/#!msg/android-platform/AcaBcOHQXwU/93Itj0VMvKYJ
[2]: https://github.com/guardianproject/pinentry/tree/master/secmem
More information about the Guardian-dev
mailing list