1

Is it possible to develop an application in such a way that its data in memory cant be stolen by recent attacks such as Meltdown, Spectre, Foreshadow, Fallout. Zombieload? All mitigations focus on patching hardware, BIOS or OS. But could sensitive applications such as password managers also implement additional protection mechanisms?

For example, could KeePass keep the passwords out of L1 cache (always loading them directly from memory)? This might protect against attacks targeting L1 cache.

There are other vulnerabilities which leak other caches and registers so it might not be sufficient against all attacks. Any other ideas on how to minimize the caching of this sensitive data?

Also, I know keepass encrypts passwords in memory but are they also encrypted in L1 caches? And is the decryption key not also in these caches?

curiousguy
  • 5,028
  • 3
  • 25
  • 27
Silver
  • 1,824
  • 11
  • 23

1 Answers1

1

Yes, theoretically applications can work around these issues. However, it's most probably not a threat the average user faces.

Further, these workarounds will be detrimental to performance. It most likely requires lots of work to ensure that no potentially dangerous instruction is used, and even then one can't be 100 % sure if absolutely everything was done right.

As a result, software vendors will see the amount of work required, compared to the relatively small gain in security, and just decide it's not worth it. The aptly named website cpu.fail lists several newly found bugs and FAQs about them.

To cite the ZombieLoad FAQ (emphasis mine):

Q: Are these software bugs?

A: No. These are bugs in the processor. Software can work around these bugs, which costs performance. Future processors will have integrated fixes.