Working On Script To Sanitize Swap.

Discussion in 'Computers and The Internet' started by AceK, Dec 22, 2015.

  1. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    I stumbled across a shell script that clears your swap, i.e. if you have memory pages sitting swapped out to disk but have plenty of ram left they shouldn't be on disk and can be moved back into actual ram b/c page faults suck. It did what it said but had some issues, and the swap wouldn't be turned back on automagically in some cases so you would have to manually turn swap back on. What it didn't do is actually overwrite the disk space that memory occupied (it wasn't designed for anti-forensic purposes)

    So I decided to modify the script for a slightly different purpose. Basically, anything that's in you're systems memory could be highly sensitive, for instance, while I'm typing this post, this post is stored somewhere in my computers memory. Now sometimes the kernel will swap out pages to disk to free up RAM for other uses, but what's in RAM could be anything, even if you have encrypted files they have to be decrypted by the machine, thus are going to exist in memory as clear text. So you if you have passwords in RAM (or the credit card number you entered into a web form in firefox) and that page gets swapped out to disk, now you have sensitive data stored on disk. So you might want to perform a bit of anti-forensics on the swap space, just in case someone hacks your computer and decides to peak at your swap.

    RAM is volatile, it loses it's state after about 64ms without power, whereas hard drives are magnetic so whatever is stored there stays around pretty much forever until it's overwritten with something else. I overwrite my swap with garbage sometimes manually, and thought it'd be cool to modify this script to do this as well, automatically. It's a work in progress I just started, and still has some issues but I'll post a link if anyone wants to try it or fuck with it themselves. It seems like I'm pretty much having to rewrite most of what was there, I hope the original author is cool with it. I might end up writing something like this in C, and maybe have more options and faster random data generation (cuz /dev/urandom is slow) using openssl or something.

    So for now, if you just want to test it, use

    sudo ./clear-swap-corrupt.sh /dev/zero
    it has some issues, but it works (it's safe) and only takes a couple minutes (like 2) to wipe my 16GB swap partition; /dev/urandom is a lot slower though, which is why i need something faster, like using openssl to generate crypto garbage data to overwrite with.

    Link .. save as clear-swap-corrupt.sh (or bigblackcock.sh if you prefer :p):
    http://pastebin.com/kmySWGs6
     
  2. badphotoguy

    badphotoguy Supporter HipForums Supporter

    Messages:
    84
    Likes Received:
    26
    Are you running this on Linux?
     
  3. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    Yep.

    Don't know what it'd do to a Mac, don't have a Mac so don't know that much about them. It would probably be okay, but i'd probably at least take a peak around first if I was going to try it on a Mac, just to make sure it's not gonna fuck shit up ya know ;) writing garbage to the wrong places usually is no good :p

    some of the coreutils in OSX are a bit different than linux and I don't have a Mac to try it on, and OSX can't be installed on my computer b/c it doesn't have an Intel CPU.
     
  4. badphotoguy

    badphotoguy Supporter HipForums Supporter

    Messages:
    84
    Likes Received:
    26
    I don't really know that much about Mac either. I'm running Windows 10 on my laptop, and Linux Mint 17 on my desktop. I miss writing shell scripts when I was an HP-UX SysAdmin. Just one of the hats I wore during my tenure in aerospace.
     
    1 person likes this.
  5. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    What I do know about Macs is that you gotta buy a new one every few years if you want security. Apple deprecates (or should I say obsoletes) older models so you can't get the security patches and end up being vulnerable to basically what are still 0 days essentially because even though those exploits have been patched, you can't upgrade.

    For example, Snow Leopard is vulnerable to shell shock and I had to use it once on an older Mac running Snow Leopard. The person had "purchased" this laptop apparently online and didn't know the password for the user account, or the root account so couldn't really do anything with it. So I dropped a root shell and changed the passwords ... I changed them to a stupid easy 3 letter password, mentioning to them that I had just gained access for them, but that it's their responsibility to set the passwords to what they want since this is just a temporary password and isn't secure by any means. They never did (very dumb) because they don't care about getting hacked I guess even though they seem to worry about it a lot (contradictory isn't it .. too lazy to google?). I mean I just "hacked it", you better at least pick a password that can't be bruteforced in under a 10 seconds! Then again ... on that Mac the password is kinda pointless anyway due to that particular vulnerability. Maybe try to install a newer shell ... they don't care, and I don't care or have much respect for people like that. If they don't care, then I don't give a fuck if they're computer gets compromised and and their identity stolen. I warned them of what the risks are and what can be done to help mitigate some of them but they can't be bothered with anything other than posting everything about them online to people they don't even know ... so I really am not motivated to help someone who isn't even willing to google something like "how to change your password". Plus, I have no idea where they "really" got this computer ... I suspect the story is a bit different than what I was told. Most people don't use exploits to help people, and the crackers they stay up to date with the latest exploits. What I did was white hat, or maybe grey, but some people would do far worse things making your credit rating become very poor.

    This type of person is the same type of person that is constantly texting and on facebook on their phone, and I guess they've never heard of the "lock screen" button ... that's a good feature so that your screen isn't just sitting there where people have time to read it over your shoulder.

    I don't like letting other people mess with my phone, tablet or my computer, especially dumbass people, but some people have "strange issues", and say that they think they're "hacked" and I always say, stop letting people use your devices ... if you let them use it they can do anything on it that you can do on it, access your accounts and all that and gather a ton of information. Put a passcode lock on it, and don't leave it on the table when you go to the restroom when there's people around that you don't necessarily trust or know very well.
     
  6. lode

    lode Banned

    Messages:
    21,697
    Likes Received:
    1,677
    1 person likes this.
  7. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    I actually do use encryption (and encrypted swap) on my laptops. I guess I'm more worried about them since they are more likely to be stolen. Also, laptops (or any machine for that matter) that uses an SSD, anything you could write to try to sanitize by overwriting would be ineffective due to the way SSDs do page remapping in the flash translation layer of the firmware, so writing anything to the same logical block address more than once is unlikely to actually touch the same physical memory pages. There are low level ATA commands like ERASE UNIT and ERASE UNIT ENH, but these commands nuke everything on the drive, and I'm unsure of how to issue them on PCIe drives since they don't expose a standard ATA interface. So, encryption here is the best bet.

    On my desktop I'm not as worried about it, though I do zero fill the swap and freespace every so often (magnetic disk, no one to date has been able to reliably recover a meaningful amount (like a whole byte) of overwritten data from a modern hard drive, it's theoretically possible, but you're more likely to invent the infinite improbability drive first lol). Anything important on that machine gets encrypted. I've considered using encrypted swap but not sure about the performance penalty. Page faults suck period, so I'm not sure how significant the overhead would be. This machine doesn't swap a lot usually but for some reason right now there's 3.5GB paged out .. and my script won't work because i only have 3.2GB free physical memory so it can't be moved back into RAM. I wish I knew a way to move most of it back (like 3.2 gigs of it)... could probably force a swapoff and cross my fingers. I have a feeling most of what's in there hasn't been touched in a long time. A few weeks ago I put my machine in hibernate for like an entire weekend or more, and ever since that memory has been a little weird.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice