Copy all current system data content in memory

views:

answers:

+1 Q:

Copy all current system data content in memory

I'm studying security, and I would like to know: in Windows or Unix based OS environment, is there a way for anything (programs or user with some knowledge) to copy all the content of the computer's memory?

My worry is about a hacker get my decrypted data loaded in memory. And how to avoid it. The hacker may be the user himself.

+1 A:

A device driver or the OS itself could copy all memory. An suitably-privileged person could copy the portion of system memory that is paged or swapped into page files (on many operating systems, anyway). A privileged person could copy system memory dumps.

Is this what you're asking? If not, then you may want to give more detail. In particular, can you narrow down what kinds of operating system you're asking about? In school, you could be asking about really old ones, and the answers will be different.

John Saunders 2010-03-16 00:49:26

thanks and, please, see my updated question

Tom Brito 2010-03-16 00:56:09

+2 A:

On Windows you can generate a crash dump that will contain nearly all memory (if not all memory) if you configure the system to generate a "Complete memory dump":

http://support.microsoft.com/kb/254649

Then you just need to cause a bugcheck.

The nice thing about dealing with a crash dump file is that the Debugging Tools for Windows (and other tools) know how to parse a lot of information out of the files.

Michael Burr 2010-03-16 00:52:11

All of the above require Administrator-level privileges. A malicious program couldn't do it unless running as a logged-in user with privileges.

John Saunders 2010-03-16 00:56:03

Cool.. and worrying..So, I have no way to avoid this kind of attack?

Tom Brito 2010-03-16 01:05:57

@John Saunders - my answer was written before clarification that the question was about how a hacker might do something like this. I thought the OP was looking for ways that he could examine memory for learning purposes or whatever.

Michael Burr 2010-03-16 01:06:52

And as far as the OP's hack-prevention goes, sensitive data in page files is a security concern. Several techniques are used to reduce the exposure including, wiping the page file at boot and/or shutdown, running without a pagefile, zeroing sensitive memory when you're done using it (note that `memset( p, 0, size)` might not do the trick due to compilers optimizing it away), and/or keeping sensitive data encrypted in memory except for brief moments when it is actually used.

Michael Burr 2010-03-16 01:11:06

But again, as John Saunders indicated, an attacker would need admin or physical access to the machine.

Michael Burr 2010-03-16 01:19:49

+2 A:

Generaly, if you are privileged user, you can access all memory you want. if you have linux, you can login as root and dump kernel memory using cat /proc/kcore.

aaa 2010-03-16 01:01:25

So, would you say that the best way to make data secure is encrypt it in the memory, or what? Any idea?

Tom Brito 2010-03-16 01:14:17

@Tom: the best way to make data secure against insider attack is to hire employees you can trust. You need to be very sure about someone who has access to shutdown your systems or delete your data.

John Saunders 2010-03-16 01:16:51

@Tom it depends. if you make software for users, you have to protect software against someone who has full access to memory (losing game).if you are system administrator, than you manage access control so users do not have root access

aaa 2010-03-16 01:23:51

ansaurus

tags:

views:

answers:

Copy all current system data content in memory

related questions