Hacker News new | ask | show | jobs
by _red 2559 days ago
Can elaborate more on the practical benefits of encrypted memory? Presumably this is mainly good for multi-user systems? On the average single-user system it seems that if you can already read memory there are 1000 other possible exploits that are cheaper / easier to perform (ie. keylog, screen capture, etc).
2 comments
gruez 2559 days ago
AFAIK the only thing it protects you from is generic malware that scans process memory for passwords. It’s trivial to bypass though: all you need to do is patch the code as it’s running to dump all the plaintext entries for you.

> there are 1000 other possible exploits that are cheaper / easier to perform (ie. keylog, screen capture, etc).

Keepass has mitigations for those as well.

link
masklinn 2559 days ago
> AFAIK the only thing it protects you from is generic malware that scans process memory for passwords.

Apparently it doesn't even do that: https://www.securityevaluators.com/casestudies/password-mana... (section Keepass)

Possibly because keepass uses the wrong flag? https://docs.microsoft.com/en-us/dotnet/api/system.security.... seems to say that the memory segment can be decrypted by either:

* all processes running on the box

* all processes owned by the same user

* only this process

Alternatively, might be because C# and the memory protection primitives don't prevent the GC from copying its data out of the protected area? IDK

edit: ah, or they might be using ProtectedData rather than ProtectedMemory, that only has the "same machine" and "same user" levels of protection: https://docs.microsoft.com/en-us/dotnet/api/system.security....

link
SamuelAdams 2559 days ago
Crash reports often include memory dumps. Firefox automatically reports these to Mozilla - there's plenty of other software that auto-reports crash data as well. If that crash data includes in-memory credentials, that could lead to your master password being compromised.
link
292355744930110 2559 days ago
KeepassXC disables core dumps[0].

[0] https://github.com/keepassxreboot/keepassxc/issues/2718#issu...

link
blattimwind 2559 days ago
> Crash reports often include memory dumps. Firefox automatically reports these to Mozilla

Of the process in question, not the entire system. A Firefox crash dump can potentially still include credentials and private keys, of course.

link