1

Functions like bzero(), explicit_bzero() and ZeroMemory are designed to delete sensitive data from RAM (Like keys). Can I use explicit_bzero() to delete entire RAM (e.g. 2 GB RAM)? Is this a feasible approach? Is there any kind of significant limitation with this, like slowing down or crashing system?

Kiavash Satvat
  • 11
  • 1

2 Answers2

1

If you could zero all of your memory, then yes it would cause the system to crash immediately, as none of the OS data or code would exist anymore, the system would not be capable of continuing to run in any capacity.

But you would not be able to do this just by calling bzero from a userspace application. The kernel generally restricts an applications memory access to within its own address space, so this would not be allowed.

Sean Burton
  • 141
  • 7
  • Then what can I do to erase all related data from a previous session? Let say I want to make sure all data are erased from a server's RAM after the user closed his applications. There should be possibly a way to touch unrestricted data and tmp applications data (not os related) . – Kiavash Satvat Oct 06 '17 at 14:14
  • If you're using Linux there are kernel extensions such as GRSecurity that can achieve this, see [this](https://security.stackexchange.com/a/42280/31468) answer for example. Not sure about other OSs. – Sean Burton Oct 06 '17 at 14:46
  • Grsecurity cannot wipe all system memory, only freed data. Wiping all memory would require a kernel patch that erased memory in a single thread with SMP disabled, e.g. during a panic. – forest Dec 10 '17 at 11:04
1

These are user-space functions. This means anything you can erase there affects only the current process and only memory pages belonging to the process which are writable (i.e. usually no program code). Trying to delete memory not mapped into the process address space will just crash the application (i.e. segmentation fault).

Can I use explicit_bzero() to delete entire RAM (e.g. 2 GB RAM)?

Since a process does not own the whole RAM (the kernel does) it cannot be deleted from a process.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Well you could wipe a good portion of memory by using `kexec` to boot into a second kernel and then having a userspace program allocate as much memory as it can and then wipe it with `explicit_bzero()`. – forest Nov 01 '18 at 08:14