How to erase the decrypted cleartext in Cache ?

On Wed, 19 Oct 2005 Tony Mason (xxxxx@osr.com) wrote:
} Subject: RE: [ntfsd] How to erase the decrypted cleartext in Cache ?

} Pejorative statements notwithstanding, the Memory Manager is in fact one
} of the most re-designed and re-implemented pieces of the OS. Witness
} the interesting changes in Windows Vista to further eliminate memory
} pressure on the small address space - that has nothing to do with
} Windows, it has to do with the restrictions of a 1 or 2 GB virtual
} address space in a world of computers with 2+ GB of physical memory.

the designers of AIX tackled the same problem of supporting tens and
even hundreds of Gbyte of physical memory in a kernel with a virtual
address space of only 4 Gbyte. in fact, they were supporting 64 bit
applications on a 32 bit kernel! kind of a crazy thing to do, actually,
since it’s only a stopgap measure; a switch to 64 bit kernels is clearly
required long term, so might as well work on that now rather than doing
work that will be discarded in the next release. though sometimes
schedule pressures dictate doing work that gets thrown away.

i’m not familiar with changes to the Windows Memory Manager post
Win 2K … but i’m going to guess that it still uses a single spin
lock to protect all of the page table entries and virtual address space
manipulation, and that it still looks for pages to reclaim by walking the
virtual address space of all processes on the system. both severely limit
the scalability of the OS in terms of number of processes and processors.

which why i called Windows a toy OS, although no OS that brings in
billions of dollars a year in revenue can really be called a “toy”.

} I certainly agree that there are reasons for wishing to have a page
} invalidation mechanism - indeed, the reason I first inquired about it
} was based upon an interest in implementing a distributed shared memory
} based file system.

} I suggested “rebooting” because it works in 100% of scenarios. A person
} concerned about being able to recover the data from RAM lives in a
} highly hostile environment and is looking for a level of hardening that
} is certainly outside the design parameters for Windows. If that makes
} it deficient in your eyes, so be it. I’m far more pragmatic about it -
} I’ve worked on multiple operating systems and each has advantages and
} disadvantages. Focusing on one specific aspect and saying “it doesn’t
} handle this and therefore it is totally deficient” is an extremist
} perspective, but one I suppose I shouldn’t be too surprised to hear
} living in the US these days (there, a small political barb to garner a
} laugh or two…)

i think you misread my comment there; a couple of people did so i guess
i miswrote it.

what i was trying to say is that if you’re concerned about the OS
revealing the clear text after you’ve done the encryption, why aren’t
you worried about the OS revealing the clear text before the encryption?

and if you’re really that paranoid shouldn’t you also worry that erasing,
rebooting, or turning the computer off is insufficient to destroy the
information in RAM? Philip D. Barila posted a link to an interesting
article that discusses that issue:

http://www.dataclinic.co.uk/data-recovery/learn-more-about-microscopy.htm

} I’m more pragmatic: at the present time, Windows is the dominate desktop
} OS space and a major player in the server OS space. As a result, I do
} quite a lot of work in this arena. However, I’m a file systems
} developer first and foremost - and should some other OS displace Windows
} I’ll likely be developing file systems on that new platform - because
} users will still want to retrieve their data, they will still want to
} store it, and they will need to do obscene and unspeakable things to it
} (like compress and encrypt it).

and there seems to be people willing to pay money for these things, even
if they don’t work right 100% of the time.

in my opinion, Microsoft was very smart to make the trade-offs they
did in Windows. because Windows is primarily a desktop OS running
on cheap hardware that’s frequently upgraded, users were willing to
accept a degreee of unreliability, lack of scalability, and lack of
compatibility across product releases. the folks developing “Enterprise
class” software could never have gotten away with that. that freedom,
in turn, allowed Microsoft to develop new features quickly and revise
interfaces frequently so they could create new products quickly.

of course, these tendencies create a real problem for Windows as Microsoft
tries to compete in the higher end server space, leading to a certain
tension in the design.

meanwhile, Linux has come along and is employing the same tactics (or
trade-offs), which is causing Microsoft quite a bit of anxiety.

} Most of the discussions within this forum are about file system filters
} and I find that many people are willing to live with partial solutions -
} look at the suggestions to use CcPurgeCache (nobody mentioned
} MmFlushCache, which you need to deal with executable images, or
} MmForceSectionClosed - a sledgehammer, but it works very hard to get rid
} of everything.) I wouldn’t consider a solution that fails sometimes to
} be acceptable, but other people do. Being a *file systems developer* I
} strive to find solutions that work 100% of the time, in the face of the
} normally hostile environment in which we find our products used. I’m
} extremely leery of using products developed by people who think that
} corrupting my data once in a while is an acceptable trade-off.

couldn’t agree with you more.

it’s interesting. there are a lot of products out there that do
get things right only 99.99% of the time, and that does seem to be
acceptable to some set of customers. but i’ve noticed that very few
of those products actually come into wide spread use (at least not if
you’re selling to large corporations; the consumer market is different).
once you corrupt some data in the data center they tend to throw you
out.

} There, now I’ve thrown out MY rant for the day.
}
} Regards,
}
} Tony

cheers,

craig.

} Tony Mason
} Consulting Partner
} OSR Open Systems Resources, Inc.
} http://www.osr.com
}
}
} Looking forward to seeing you at the next OSR File Systems class in Los
} Angeles, CA October 24-27, 2005.
}
}
} -----Original Message-----
} From: xxxxx@lists.osr.com
} [mailto:xxxxx@lists.osr.com] On Behalf Of craig
} Sent: Wednesday, October 19, 2005 3:50 AM
} To: ntfsd redirect
} Subject: Re: [ntfsd] How to erase the decrypted cleartext in Cache ?
}
} On Wed, 19 Oct 2005 Tony Mason (xxxxx@osr.com) wrote:
} } Subject: RE: [ntfsd] How to erase the decrypted cleartext in Cache ?
}
} } This is because there is no way for you to find all the uses of a
} given
} } page. This doesn’t make Windows “crap”, it means that you don’t trust
} } the OS to do its job, which is why you are trying to delete memory
} that
} } someone is still using.
}
} hi tony,
}
} actually, Windows is a crap OS. or at least a toy OS, comparable to
} Minix – but that’s a separate argument from this discussion.
}
}
} } In fact, the support needed to do this is something I’ve talked to the
} } person responsible for Mm about in the past and the reason he doesn’t
} } leave that code in is that it drags down performance.
}
} there are many reasons why a client or filter driver might want to
} invalidate data cached in memory. for example, you might be running a
} clustered file system, where files can be written to from other nodes
} and changes to the file data accurately updated to file mappings on the
} first node.
}
} or you might want to have coherent caching of files with CIFS in the
} same scenario (where writes to a file on one node appear in a timely
} fashion in memory mappings of the file on another node).
}
} regardless, the performance penalty this imposes on the Mm in Windows is
} entirely a result of the design chosen for the memory manager on
} Windows,
} and not an intrinsic aspect of the problem. the “performance penalty”
} could be fixed by a redesign of the memory manager.
}
} to put it another way, the reason Windows can’t do this is because it’s
} a crap OS. (oh, wait. i said that argument wasn’t relevant to this
} discussion – guess i was wrong.)
}
}
} } Bottom line: if you don’t trust the OS, don’t use it. If you don’t
} want
} } cleartext in the cache, don’t allow it in there in the first place.
} The
} } PROBLEM is you want to have a mechanism for performing page
} invalidation
} } - and it does not exist in Windows.
}
} well, this part i agree with. if you don’t trust the OS with the data
} after it’s been encrypted, why do you entrust it with the data in the
} first place?
}
} and if you’re truly paranoid, rebooting the box won’t clear the data
} either. from what i understand, there are techniques that let you
} recover data from RAM even if it’s been overwritten a few times.
}
} } Regards,
} }
} } Tony
}
} cheers,
}
} craig.
}
}
} } Tony Mason
} } Consulting Partner
} } OSR Open Systems Resources, Inc.
} } http://www.osr.com
} }
} }
} } Looking forward to seeing you at the next OSR File Systems class in
} Los
} } Angeles, CA October 24-27, 2005.
} }
} }
} } -----Original Message-----
} } From: xxxxx@lists.osr.com
} } [mailto:xxxxx@lists.osr.com] On Behalf Of Sean Park
} } Sent: Tuesday, October 18, 2005 11:49 PM
} } To: ntfsd redirect
} } Subject: Re:[ntfsd] How to erase the decrypted cleartext in Cache ?
} }
} } I am not sure why this is so.
} } I don’t know the answer, though. There should be a way to do this,
} } otherwise
} } Windows is crap.
} }
} } Maybe find out the physical memory address for the cache and clear the
}
} } corresponding physical pages would do the job?
} }
} } Cheers,
} }
} }
} }
} } “Tony Mason” wrote in message news:xxxxx@ntfsd…
} } Reboot. There is no other guaranteed way of achieving this.
} }
} } Regards,
} }
} } Tony
} }
} } Tony Mason
} } Consulting Partner
} } OSR Open Systems Resources, Inc.
} } http://www.osr.com
} }
} }
} } Looking forward to seeing you at the next OSR File Systems class in
} Los
} } Angeles, CA October 24-27, 2005.
} }
} }
} } -----Original Message-----
} } From: xxxxx@lists.osr.com
} } [mailto:xxxxx@lists.osr.com] On Behalf Of Leo
} } Sent: Tuesday, October 18, 2005 9:25 PM
} } To: ntfsd redirect
} } Subject: [ntfsd] How to erase the decrypted cleartext in Cache ?
} }
} } How to erase the decrypted cleartext in Cache ?
} } My encrypted ciphertext is in disk assuredly, but the cleartext is in
} } Cache
} } yet.
} }
} }
} }
} } —
} } Questions? First check the IFS FAQ at
} } https://www.osronline.com/article.cfm?id=17
} }
} } You are currently subscribed to ntfsd as: xxxxx@osr.com
} } To unsubscribe send a blank email to xxxxx@lists.osr.com
} }
} }
} }
} } —
} } Questions? First check the IFS FAQ at
} } https://www.osronline.com/article.cfm?id=17
} }
} } You are currently subscribed to ntfsd as: xxxxx@osr.com
} } To unsubscribe send a blank email to xxxxx@lists.osr.com
} }
} } —
} } Questions? First check the IFS FAQ at
} https://www.osronline.com/article.cfm?id=17
} }
} } You are currently subscribed to ntfsd as: unknown lmsubst tag
} argument: ‘’
} } To unsubscribe send a blank email to xxxxx@lists.osr.com
}
} –
} {apple,amdahl}!veritas!craig
} xxxxx@veritas.com
} (415) 668-3564 (h) (650)
} 527-8520 (w)
}
} —
} Questions? First check the IFS FAQ at
} https://www.osronline.com/article.cfm?id=17
}
} You are currently subscribed to ntfsd as: xxxxx@osr.com
} To unsubscribe send a blank email to xxxxx@lists.osr.com
}
} —
} Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
}
} You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
} To unsubscribe send a blank email to xxxxx@lists.osr.com


{apple,amdahl}!veritas!craig xxxxx@veritas.com
(415) 668-3564 (h) (650) 527-8520 (w)

> i’m not familiar with changes to the Windows Memory Manager post

Win 2K … but i’m going to guess that it still uses a single spin
lock to protect all of the page table entries and virtual address space
manipulation,

No, single spin lock protects the whole PFN database (the entity called
“mem_map” in Linux).

Address spaces and PTEs are protected by per-address-space FAST_MUTEX which is
inside EPROCESS.

and that it still looks for pages to reclaim by walking the
virtual address space of all processes on the system.

It walks the workspace lists (which are IIRC the prime-number-based hash) and
not the VAs themselves. Contrary to Linux’s kswapd, which really did scans over
all PTE tables.

which why i called Windows a toy OS

Then how I should call UNIXen which use the single spinlock per whole kernel?
which have nonpreemptive kernels?

in my opinion, Microsoft was very smart to make the trade-offs they
did in Windows. because Windows is primarily a desktop OS running
on cheap hardware that’s frequently upgraded, users were willing to
accept a degreee of unreliability

Windows by design is as reliable as AIX or Solaris, so, this is about the
bug/fix rate only. In last years, the fix rate is good.

, lack of scalability, and lack of
compatibility across product releases.

Windows is the best OS if we are speaking about backward compatibility. Compare
this to Solaris change from BSD to SysV in around 1993, which broke most apps.
Compare this to most open-source titles like PHP or MySQL.

it’s interesting. there are a lot of products out there that do
get things right only 99.99% of the time, and that does seem to be
acceptable to some set of customers.

And, after this, you will speak about enterprise-class software? :slight_smile:

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com