Stowage/memguard
2
0
Fork 0
mirror of https://github.com/awnumar/memguard.git synced 2026-02-06 17:59:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Software sandbox for storage of sensitive information in memory.
402 commits 4 branches 47 tags 10 MiB
Find a file
Exact
Awn Umar 83f33df46b sync
2021-02-28 11:55:16 +00:00
.github/ISSUE_TEMPLATE Update bug_report.md 2019-11-07 11:27:55 +00:00
core sync 2021-02-27 13:46:28 +00:00
examples sync 2021-02-27 13:46:28 +00:00
.cirrus.yml Update FreeBSD image version to 13 2020-04-16 15:24:26 +01:00
AUTHORS Update AUTHORS 2020-04-16 15:12:00 +01:00
buffer.go sync 2021-02-28 11:55:16 +00:00
buffer_test.go Improve error reporting in Reader->Buffer constructors 2020-03-11 18:17:26 +00:00
docs.go remove clone; implement tests and repr methods 2019-05-26 19:08:26 +01:00
enclave.go Some experimentation 2020-08-09 15:12:07 +01:00
enclave_test.go Add buffer<->enclave size equality check 2019-10-01 10:29:11 +01:00
go.mod sync 2021-02-27 13:46:28 +00:00
go.sum sync 2021-02-27 13:46:28 +00:00
LICENSE Relicence project under Apache-v2 (#9) 2017-05-02 22:23:45 +01:00
logo.svg Initial commit 2017-04-22 09:16:20 +01:00
memguard.go fix following dead lock problems 2020-04-20 17:04:12 +08:00
memguard_test.go crypto: use local custom emtropy pool 2019-05-13 17:08:37 +01:00
README.md Update some things 2020-05-20 21:38:00 +01:00
signals.go docs: updates for clarity and readability 2019-05-30 10:04:45 +01:00
signals_test.go feature: add clone and {move/copy}at methods 2019-05-17 14:22:12 +01:00
stream.go Some experimentation 2020-08-09 15:12:07 +01:00
stream_test.go Some experimentation 2020-08-09 15:12:07 +01:00

README.md

MemGuard

Software enclave for storage of sensitive information in memory.

This package attempts to reduce the likelihood of sensitive data being exposed when in memory. It aims to support all major operating systems and is written in pure Go.

Features

  • Sensitive data is encrypted and authenticated in memory with XSalsa20Poly1305. The scheme used also defends against cold-boot attacks.
  • Memory allocation bypasses the language runtime by using system calls to query the kernel for resources directly. This avoids interference from the garbage-collector.
  • Buffers that store plaintext data are fortified with guard pages and canary values to detect spurious accesses and overflows.
  • Effort is taken to prevent sensitive data from touching the disk. This includes locking memory to prevent swapping and handling core dumps.
  • Kernel-level immutability is implemented so that attempted modification of protected regions results in an access violation.
  • Multiple endpoints provide session purging and safe termination capabilities as well as signal handling to prevent remnant data being left behind.
  • Side-channel attacks are mitigated against by making sure that the copying and comparison of data is done in constant-time.
  • Accidental memory leaks are mitigated against by harnessing the garbage-collector to automatically destroy containers that have become unreachable.

Some features were inspired by libsodium, so credits to them.

Full documentation and a complete overview of the API can be found here. Interesting and useful code samples can be found within the examples subpackage.

Installation

$ go get github.com/awnumar/memguard

API is experimental and may have unstable changes. You should pin a version. [modules]

Contributing

  • Submitting program samples to ./examples.
  • Reporting bugs, vulnerabilities, and any difficulties in using the API.
  • Writing useful security and crypto libraries that utilise memguard.
  • Implementing kernel-specific/cpu-specific protections.
  • Submitting performance improvements.

Issues are for reporting bugs and for discussion on proposals. Pull requests should be made against master.