How does Fedora clean its RAM..?

Alan Cox alan at lxorguk.ukuu.org.uk
Thu Nov 3 08:48:58 UTC 2011 

> You're sure about that? What evidence do you offer? Can you point to
> auto-scrub code paths in all the library APIs for freeing memory?

We actually don't wipe memory on free, but on allocate. That has
performance wins. Some user space does go to the trouble of wiping things
like crypto keys once they are used, as does some kernel bits.

Linux has *no* memory allocator for userspace from the kernel. It has
mmap which maps in an object from the file system and sbrk() which is
these days implemented in terms of mmap.

What these actually do effectively is allocate address space, and we have
a /dev/zero which is an infinite supply of mappings of a single kernel
page that contains only zero.

So the actual process becomes

	I need 1MB
	mmap /dev/zero for 1MB
	We get 1MB of page tables pointing to the *same* page of zero

At this point our 1MB takes up 4K (plus page tables). When you write to
it for the first time the page you write to is copied and updated with the
new data ("copy on write") and now has its own actual data.

This is a good deal more efficient.

> Rather than merely imply that such threat models are beyond the scope
> of Fedora, wouldn't it be better to refer the OP to a wiki article on
> the subject, or to the dev list if there is no wiki article?

The usual threat models for not clearing memory are the fact things like
keys may hang around longer. But they may also have hit swap so really
for most uses the concern is crypted swap and use of hibernate in
preference to suspend. If you leave someone with physical access to a PC
you lost already however, as they can trojan the BIOS and the like ready
for the next boot.

The Linux kernel may move to zeroing user pages at free, at least in some
circumstances. The reason for this isn't however security but virtual
machines. Right now KVM with a Linux guest cannot tell properly if chunks
of pages of free user data are relevant so it must preserve them. If they
are zeroed on free then the ksm background scan which finds identical
pages in and between guests and turns them into one mapping will be able
to take all the freed user pages and turn them back into a single page of
real physical host memory.

Alan

More information about the users mailing list