Go Proposal: Secret Mode

20 days ago

One of the goals here is to make it easy to identify existing code which would benefit from this protection and separate that code from the rest. That code is going to run anyway, it already does so today.

https://go-review.googlesource.com/c/go/+/729920

20 days ago

1 reply

This is not what secret.Enabled() means. But it probably illustrates that the function needs to be renamed already.

The documentation in this article already explains what it actually does:

  // Enabled reports whether Do appears anywhere on the call stack.

This means it is just a way of checking that you are running inside the context which secret.Do provides, but doesn't guarantee that secret.Do is actually offering the protection you desire.

cafxx

20 days ago

1 reply

That's not how it's implemented (it returns false if you're inside a Do() on a unsupported platform), although I agree the wording should be clearer.

cafxx

19 days ago

Filed a CL for this, hopefully it gets merged ~soon.

oncallthrow

20 days ago

2 replies

Meh, this is a defence in depth measure anyway

ctoth

20 days ago

1 reply

Linux

Windows and MacOS?

Go is supposed to be cross-platform. I guess it's cross-platform until it isn't, and will silently change the semantics of security-critical operations (yes, every library builder will definitely remember to check if it's enabled.)

YesThatTom2

20 days ago

1 reply

If you need this for Windows so desperately why aren’t you offering to add support for that platform? It’s open source.

Many advanced Go features start in certain platforms and then expand to others once the kinks are worked out. It’s a common pattern and has many benefits. Why port before its stable?

I look forward to your PR.

baq

20 days ago

Absolutely not the right take unless the OP is a security researcher

hypeatei

20 days ago

3 replies

> Meh, this is a defence in depth measure

Which is exactly why it should fail explicitly on unsupported platforms unless the developer says otherwise. I'm not sure how Go developers make things obvious, but presumably you have an ugly method or configuration option like:

  dangerousAllowSecretsToLeak()

...for when a developer understands the risk and doesn't want to panic.

20 days ago

This is a sharp-edged tool guarded behind an experimental flag. You are not meant to use it unless you want to participate in the experiment. Objections like this and the other one ("check if it's enabled" -- you can't, that's not what secret.Enabled() means) illustrate that this API may still need further evolution, which it won't get if it's never available to experiment with.

satellite2

20 days ago

Alternatively:

  enclave, err := secret.GetEnclave()
  // err contains whether the platform doesn't support it
  enclave.Do(f)

20 days ago

A key purpose of this mechanism is to take certain code which is written in ordinary Go today, and thus already exists and runs but with none of this protection, and to distinguish it as benefitting from this protection. If secret.Do panics when the platform isn't (yet) able to provide additional protection, then it defeats the goal, which is to identify which code fits this criterion and separate it from code that doesn't. This is a sharp-edged tool not meant for mass adoption.

pjmlp

18 days ago

1 reply

Nah, Java and .NET are much better, but they aren't fashionable.

18 days ago

1 reply

I think C# has been doing really well... I've appreciated the efforts to open the platform since Core... Though I do know a few devs that have been at it as long as I have that don't like the faster lifecycle since the move from Framework.

pjmlp

18 days ago

Hello from one of them, while I appreciate the modernisation (with learnings from Midori as well), and officially going cross platform, it appears that some features are for the sake to keep the team size.

Most of our agency projects that have .NET in them, are brown field ongoing projects that mostly focus on .NET Framework, thus we end up only using modern .NET when given the opportunity to deliver new microservices, and the customer happens to be a .NET shop.

The last time this happened, .NET 8 had just been released, and most devs I work with tend to be journeyman they aren't chasing programming language blogs to find out what changes in each release, or online communities, they do the agency work and go home for friends, family and non programming related hobbies.

alanfranz

20 days ago

I'd probably want some way to understand whether secret.Do is launched within a secret-supporting environment so that I'm able to show some user warning / force a user confirmation or generate_secrets_on_unsupported_platforms flag.

But, this is probably a net improvement over the current situation, and this is still experimental, so, changes can happen before it gets to GA.

18 days ago

Guessing it's also taking sure to use assembly calls to zero out and clear the memory region as part of the GC... I would guess the clear/gc characteristics are otherwise the same, but having access to RAM in a non-supported platform could, in theory allow for stale reads of raw memory.

This is likely done for platform performance and having a manual version likely hinders the GC in a way that's deemed too impactful. Beyond this, if SysV or others contribute specific patches that aren't brute forced (such as RiscV extensions), I would assume that the go maintainers would accept it..

treyd

20 days ago

> Go has the best support for cryptography of any language

Writing cryptography code in Go is incredibly annoying and cumbersome due lack of operator overloading, forcinforcing you to do method calls like `foo.Add(bar.Mul(baz).Mod(modulus)).Mod(modulus)`. These also often end up having to be bignums instead of using generic fixed-size field arithmetic types. Rust has incredibly extensive cryptographic libraries, the low-level taking advantage of this operator overloading so the code ends up being able to following the notation in literature more closely. The elliptic_curve crate in particular is very nice to work with.

dpifke

24 days ago

1 reply

Also fips140.WithoutEnforcement (also coming in 1.26): https://github.com/golang/go/issues/74630#issuecomment-32282...

And an in-progress proposal to make these various "bubble" functions have consistent semantics: https://github.com/golang/go/issues/76477

kmeisthax

20 days ago

I have to wonder if we need, say, a special "secret data" type (or modifier) that has the semantics of both crypto/subtle and runtime/secret. That is to say, comparison operators are always constant-time, functions holding the data zero it out immediately, GC immediately zeroes and deallocs secret heap allocations, etc.

I mean, if you're worried about ensuring data gets zeroed out, you probably also don't want to leak it via side channels, either.

maxloh

20 days ago

8 replies

> The new runtime/secret package lets you run a function in secret mode. After the function finishes, it immediately erases (zeroes out) the registers and stack it used.

I don't understand. Why do you need it in a garbage-collected language?

My impression was that you are not able to access any register in these language. It is handled by the compiler instead.

20 days ago

1 reply

Go is not a memory safe language. Even in memory safe languages, memory safety vulnerabilities can exist. Such vulnerabilities can be used to hijack your process into running untrusted code. Or as others point out sibling processes could attack yours. This underlying principle is defense in depth - you make add another layer of protection that has to be bypassed to achieve an exploit. All the chains combined raise the expense of hacking a system.

https://www.memorysafety.org/docs/memory-safety/

20 days ago

1 reply

Respectfully, this has become a message board canard. Go is absolutely a memory safe language. The problem is that "memory safe", in its most common usage, is a term of art, meaning "resilient against memory corruption exploits stemming from bounds checking, pointer provenance, uninitialized variables, type confusion and memory lifecycle issues". To say that Go isn't memory safe under that definition is a "big if true" claim, as it implies that many other mainstream languages commonly regarded as memory safe aren't.

Since "safety" is an encompassing term, it's easy to find more rigorous definitions of the term that Go would flunk; for instance, it relies on explicit synchronization for shared memory variables. People aren't wrong for calling out that other languages have stronger correctness stories, especially regarding concurrency. But they are wrong for extending those claims to "Go isn't memory safe".

https://www.ralfj.de/blog/2025/07/24/memory-safety.html

20 days ago

3 replies

I’m not aware of any definition of memory safety that allows for segfaults- by definition those are an indication of not being memory safe.

It is true that go is only memory unsafe in a specific scenario, but such things aren’t possible in true memory safe languages like c# of Java. That it only occurs in multithreaded scenarios matters little especially since concurrency is a huge selling point of the language and baked in.

Java can have data races, but those data races cannot be directly exploited into memory safety issues like you can with Go

20 days ago

1 reply

Another canard. "Segfault" is simply Go's reporting convention for things like nil pointer hits. All due respect to Ralf's Ramblings, but I'm going to rest my case with the Prossimo page on memorysafety.org that I just posted. This isn't a real debate.

20 days ago

1 reply

> Segfault" is simply Go's reporting convention for things like nil pointer hits.

Blatantly false. From Ralf’s post:

> panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x2a pc=0x468863]

The panic address is 42, a value being mutated, not a nil pointer. You could easily imagine this address pointing to a legal but unintended memory address resulting in a read or write of unintended memory.

20 days ago

2 replies

No, you can't, and the reason you know you can't is that it's never happened. That looks like a struct offset dereference from a nil pointer, for what it's worth.

20 days ago

1 reply

You’d be wrong. I recommend you reread the blog post and grok what’s happening in the example.

> When that happens, we will run the Ptr version of get, which will dereference the Int’s val field as a pointer – and hence the program accesses address 42, and crashes.

If you don’t see an exploit gadget there based on a violation of memory safety I don’t know how to have a productive conversation.

20 days ago

Please do explain the exploit gadget you're talking about.

josefx

20 days ago

> That looks like a struct offset dereference from a nil pointer, for what it's worth.

The 42 is an explicit value in the example code. From what I understand the code repeatedly changes the value assigned to an interface variable from an object containing a pointer to an object containing an integer. Since interface variables store the type of the assigned value, but do not update both type and value atomically a different thread can interpret whatever integer you put into it as a valid pointer. Putting a large enough value into the integer should avoid the protected memory page around 0 and allow for some old fashioned memory corruption.

afdbcreid

20 days ago

1 reply

Rust is susceptible to segfaults when overflowing the stack. Is Rust not memory safe then?

Of course, Go allows more than that, with data races it's possible to reach use after free or other kinds of memory unsafety, but just segfaults don't mark a language memory unsafe.

20 days ago

1 reply

Go is most emphatically NOT memory-safe. It's trivially easy to corrupt memory in Go when using gorotuines. You don't even have to try hard.

This stems from the fact that Go uses fat pointers for interfaces, so they can't be atomically assigned. Built-in maps and slices are also not corruption-safe.

In contrast, Java does provide this guarantee. You can mutate structures across threads, and you will NOT get data corruption. It can result in null pointer exceptions, infinite loops, but not in corruption.

20 days ago

1 reply

This is just wrong. Not that you can't blow up from a data race; you certainly can. Simply that any of these properties admit to exploitable vulnerabilities, which is the point of the term as it is used today. When you expand the definition the way you are here, you impair the utility of the term.

Serious systems built in memory-unsafe languages yield continual streams of exploitable vulnerabilities; that remains true even when those systems are maintained by the best-resourced security teams in the world. Functionally no Go projects have this property.

20 days ago

1 reply

There were CVEs caused by concurrent map access. Definitely denials of service, and I'm pretty sure it can be used for exploitation.

> Serious systems built in memory-unsafe languages yield continual streams of exploitable vulnerabilities

I'm not saying that Go is as unsafe as C. But it definitely is NOT completely safe. I've seen memory corruptions from improper data sync in my own code.

20 days ago

1 reply

Go ahead, talk through how this would be use for exploitation.

19 days ago

I would try to cause the map reallocation at the same moment I'm writing to it. Leading to corrupted memory allocator structures.

Mawr

20 days ago

Safety is a continuum. It's a simple fact. Feel free to use a term other than memory safety to describe what you're talking about, but so long as you use safety, there's going to be a continuum.

Also, by your definition, e.g. Rust is not memory safe. And "It is true that Rust is only memory unsafe in a specific scenario, but [...]". I hope you agree.

jerf

20 days ago

This is about minimizing attack surface. Not only could secrets be leaked by hacking the OS process somehow to perform arbitrary reads on the memory space and send keys somewhere, they could also be leaked with root access to the machine running the process, root access to the virtualization layer, via other things like rowhammering potentially from an untrusted process in an entirely different virtual context running on the same machine, and at the really high end, attacks where the government agents siezing your machine physically freeze your RAM (that is, reduce the physical temperature of your RAM to very low temperatures) when they confiscate your machine and read it out later. (I don't know if that is still possible with modern RAM, but even if it isn't I wouldn't care to bet much on the proposition that they don't have some other way to read RAM contents out if they really, really want to.) You can't avoid having things in RAM to operate on them but you can ensure they are as transient as possible to minimize the attack window.

If you are concerned about secrets being zeroed out in almost any language, you need some sort of support for it. Non-GC'd languages are prone to optimize away zeroing out of memory before deallocation, because under normal circumstances a write to a value just before deallocation that is never effectfully read can be dropped without visible consequence to the rest of the program. And as compilers get smarter it can be harder to fool them with code, like, simply reading afterwards with no further visible effect might have been enough to fool 20th century compilers but nowadays I wouldn't count on my compiler being that stupid.

There are also plenty of languages where you may want to use values that are immutable within the context of the language, so there isn't even a way to express "let's zero out this RAM".

Basically, if you don't build this in as a language feature, you have a whole lot of pressures constantly pushing you in the other direction, because why wouldn't you want to avoid the cost of zeroing memory if you can? All kinds of reasons to try to avoid that.

hamburglar

20 days ago

The Go runtime may not be the only thing reading your process’ memory.

gethly

20 days ago

Yeah, I can hardly disagree with that sentiment myself.

18 days ago

That's kind of the point of making it (relatively easily) accessibly... in order to ensure that secrets are wiped from memory as quickly as reasonable. This reduces a lot of potential surface area for potential attack.

I used to not really see the need for this level of detail on things... then you see useful (IE in the wild exploits) for even complex factors like CPU branch prediction (for a while now), and the need starts to become much more clear.

kittywantsbacon

20 days ago

This would potentially protect against other process reading memory via some system compromise - they would be able to get new secrets but not old ones.

20 days ago

Go has both assembly language and unsafe pointer operations available. While any uses of these more advanced techniques should be vetted before going to production, they are obviously able to break out of any sandboxing that you might otherwise think a garbage collector provides.

And any language which can call C code that is resident in the same virtual memory space can have its own restrictions bypassed by said C code. This even applies to more restrictive runtimes like the JVM or Python.

er4hn

20 days ago

In theory it prevents failures of the allocator that would allow reading uninitialized memory, which isn't really a thing in Go.

In practice it provides a straightforward path to complying with government crypto certification requirements like FIPS 140 that were written with languages in mind where this is an issue.

20 days ago

3 replies

Ok, i kinda get the idea, and with some modification it might be quite handy - but i wonder why its deemed like an "unsolvable" issue right now.

It may sound naive, but packages which include data like said session related or any other that should not persist (until the next Global GC) - why don't you just scramble their value before ending your current action?

And dont get me wrong - yes that implies extra computation yada yada - but until a a solution is practical and builtin - i'd just recommend to scramble such variables with new data so no matter how long it will persist, a dump would just return your "random" scramble and nothing actually relevant.

willahmad

20 days ago

2 replies

without language level support, it makes code look like a mess.

Imagine, 3 level nesting calls where each calls another 3 methods, we are talking about 28 functions each with couple of variables, of course you can still clean them up, but imagine how clean code will look if you don't have to.

Just like garbage collection, you can free up memory yourself, but someone forgot something and we have either memory leak or security issues.

compsciphd

20 days ago

2 replies

I could imagine code that did something like this for primatives

  secretStash := NewSecretStash()
  pString := secretStash.NewString()
  ....
  ....
  secretStash.Thrash()

yes, you now have to deal in pointers, but that's not too ugly, and everything is stored in secretStash so can iterate over all the types it supports and thrash them to make them unusable, even without the gc running.

20 days ago

1 reply

Thats even better than what i had in mind but agree also a good way to just scrumble stuff unusable ++

compsciphd

20 days ago

I'm now wondering with a bit of unsafe, reflection and generics magic one could make it work with any struct as well (use reflection to instantiate a generic type and use unsafe to just overwrite the bytes)

mbreese

20 days ago

I used to see this is bash scripts all the time. It’s somewhat gone out of favor (along with using long bash scripts).

If you had to prompt a user for a password, you’d read it in, use it, then thrash the value.

    read -p “Password: “ PASSWD
    #Do something $PASSWD
    PASSWD=“XXXXXXXXXXXXXXXXXX”

It’s not pretty, but a similar concept.

HendrikHensen

20 days ago

3 replies

With good helpers, it could become something as simple as

    key := make([]byte, 32)
    defer scramble(&key)
    // do all the secret stuff

20 days ago

1 reply

Yep thats what i thought about

ok123456

20 days ago

1 reply

This proposal is worse because all the valuable regions of code will be clearly annotated for static analysis, either explicitly via a library/function call, or heuristically using the same boilerplate or fences.

20 days ago

1 reply

Makes sense basically creating an easy to point out pattern for static analysis to find everything security related.

As another response pointed out, its also possible that said secret data is still in the register, which no matter what we do to the curr value could exist.

Thanks for pointing it out!

ok123456

20 days ago

> Makes sense basically creating an easy to point out pattern for static analysis to find everything security related.

This is essentially already the case whenever you use encryption, because there are tell-tale signs you can detect (e.g., RSA S-Box). But this will make it even easier and also tip you off to critical sections that are sensitive yet don't involve encryption (e.g., secure strings).

20 days ago

1 reply

There are two main reasons why this approach isn't sufficient at a technical level, which are brought up by comments on the original proposal: https://github.com/golang/go/issues/21865

1) You are almost certainly going to be passing that key material to some core crypto functions, and those functions may allocate and copy your data around; while core crypto operations could probably be identified and given special protection in their own right, this still creates a hole for "helper" functions that sit in the middle

2) The compiler can always keep some data in registers, and most lines of Go code can be interrupted at any time, with the registers of the running goroutine copied somewhere temporarily; this is beyond your control and cannot be patched up after the fact by you even once control returns to your goroutine

So, even with your approach, (2) is a pretty serious and fundamental issue, and (1) is a pretty serious but mostly ergonomic issue. The two APIs also illustrate a basic difference in posture: secret.Do wipes everything except what intentionally escapes, while scramble wipes only what you think is important to wipe.

20 days ago

Thanks, you brought up good points.

While in my case i had a program in which i created an instance of such a secret , "used it" and than scrambled the variable it never left so it worked.

Tho i didn't think of (2) which is especially problematic.

Prolly still would scramble on places its viable to implement, trying to reduce the surface even if i cannot fully remove it.

nemothekid

20 days ago

As I understand it, this is too brittle. I think this is trivially defeated if someone adds an append to your code:

    func do_another_important_thing(key []byte) []byte {
       newKey := append(key, 0x0, 0x1) // this might make a copy!
       return newKey
    } 

    key := make([]byte, 32) 
    defer scramble(&key) 
    do_another_important_thing(key)
    // do all the secret stuff

Because of the copy that append might do, you now have 2 copies of the key in data, but you only scramble one. There are many functions that might make a copy of the data given that you don't manually manage memory in Go. And if you are writing an open source library that might have dozens of authors, it's better for the language to provide a guarantee, rather than hope that a developer that probably isn't born yet will remember not to call an "insecure" function.

20 days ago

1 reply

It is fundamentally not possible to be in complete control of where the data you are working with is stored in go. The compiler is free to put things on the heap or on the stack however it wants. Relatedly it may make whatever copies it likes in between actions defined in the memory model which could leak arbitrary temporaries.

to11mtm

20 days ago

1 reply

Yeah, .NET tried to provide a specific type related to this concept (SecureString) in the past and AFAIK there were were two main problems that have caused it to fall into disuse;

First one being, it was -very- tricky to use properly for most cases, APIs to the outside world typically would give a byte[] or string or char[] and then you fall into the problem space you mention. That is, if you used a byte[] or char[] array, and GC does a relocation of the data, it may still be present in the old spot.

(Worth noting, the type itself doesn't do that, whatever you pass in gets copied to a non-gc buffer.)

The second issue is that there's not a unified unix memory protection system like in windows; The windows implementation is able to use Crypt32 such that only the current process can read the memory it used for the buffeer.

evntdrvn

20 days ago

In case you’re interested in a potential successor: https://github.com/dotnet/designs/pull/147

skywhopper

20 days ago

Hard to understand what you’re asking. This is the solution that will practical and built-in. This is a summary of a new feature coming to Go’s runtime in 1.26.

20 days ago

1 reply

Kind of stupid it didn’t have something like this to begin with tbh. It really is an incredible oversight when one steps back. I am fully ready to be downvoted to hell for this, but rust ftw.

20 days ago

2 replies

Rust doesn't have anything like this either. I think you misunderstood what it is.

20 days ago

2 replies

It doesn’t but the problem space is more constrained as you are at least in control of heap vs stack storage. Register clearing is not natively available though. To put it more simply: yes but you can write this in rust- you can’t write it in go today.

purplesyringa

20 days ago

2 replies

You can try to write it in Rust, doesn't mean you'll succeed. Rust targets the abstract machine, i.e. the wonderful land of optimizing compilers, which can copy your data anywhere they want and optimize out any attempts to scramble the bytes. What we'd need for this in Rust would be an integration with LLVM, and likely a number of modifications to LLVM passes, so that temporarily moved data can be tracked and erased. The only reason Go can even begin to do this is they have their own compiler suite.

20 days ago

1 reply

??? I think that the fact that `drop` means "the heap gets this space back" in Rust means that things are fairly predictable.

purplesyringa

20 days ago

"Memory leaks" would be a mischaracterisation. "Memory leak" typically refers to not freeing heap-allocated data, while I'm talking about data being copied to temporary locations, most commonly on the stack or in registers.

In a nutshell, if you have a function like

    fn secret_func() -> LargeType {
        /* do some secret calculations */
        LargeType::init_with_safe_Data()
    }

...then even if you sanitize heap allocations and whatnot, there is still a possibility that those "secret calculations" will use the space allocated for the return value as a temporary location, and then you'll have secret data leaked in that type's padding.

More realistically, I'm assuming you're aware that optimizing compilers often simplify `memset(p, 0, size); free(p);` to `free(p);`. A compiler frontend can use things like `memset_s` to force rewrites, but this will only affect the locals created by the frontend. It's entirely possible that the LLVM backend notices that the IR wants to erase some variable, and then decides to just copy the data to another location on the stack and work with that, say to utilize instruction-level parallelism.

I'm partially talking out of my ass here, I don't actually know if LLVM utilizes this. I'm sure it does for small types, but maybe not with aggregates? Either way, this is something that can break very easily as optimizing compilers improve, similarly to how cryptography library authors have found that their "constant-time" hacks are now optimized to conditional jumps.

Of course, this ignores the overall issue that Rust does not have a runtime. If you enter the secret mode, the stack frames of all nested invoked functions needs to be erased, but no information about the size of that stack is accessible. For all you know, memcpy might save some dangerous data to stack (say, spill the vector registers or something), but since it's implemented in libc and linked dynamically, there is simply no information available on the size of the stack allocation.

This is a long yap, but personally, I've found that trying to harden general-purpose languages simply doesn't work well enough. Hopefully everyone realizes by now that a borrow checker is a must if you want to prevent memory unsoundness issues in a low-level language; similarly, I believe an entirely novel concept is needed for cryptographical applications. I don't buy that you can just bolt it onto an existing language.

20 days ago

1 reply

I'm pretty sure you could do it with inline assembly, which targets the actual machine.

You could definitely zero registers that way, and a allocator that zeros on drop should be easy. The only tricky thing would be zeroing the stack - how do you know how deep to go? I wonder what Go's solution to that is...

purplesyringa

20 days ago

2 replies

I meeeeean... plenty of functions allocate internally and don't let the user pass in an allocator. So it's not clear to me how to do this at least somewhat universally. You could try to integrate it into the global allocator, I suppose, but then how do you know which allocations to wipe? Should anything allocated in the secret mode be zeroed on free? Or should anything be zeroed if the deallocation happens while in secret mode? Or are both of these necessary conditions? It seems tricky to define rigidly.

And stack's the main problem, yeah. It's kind of the main reason why zeroing registers is not enough. That and inter-procedural optimizations.

19 days ago

So you’re correct that covering the broadest general case is problematic. You have to block code from doing IO of any form to be safe.

In general though getting to a fairly predictable place is possible and the typical case of key material shouldn’t have highly arbitrary stacks, if you do you’re losing (see io comment above).

https://docs.rs/zeroize/1.8.1/zeroize/ has been effective for some users, it’s helped black box tests searching for key material no longer find it. There are also some docs there on how to avoid common pitfalls and links to ongoing language level discussions on the remaining and more complex register level issues.

19 days ago

Yeah I meant a global allocator. You would wipe anything that was allocated while executing a "secure" function.

20 days ago

This is basically my point, in addition to the fact that the time at which data is freed from the heap is far more predictable.

20 days ago

2 replies

Okay, fair point, sort of. Rust does not have a built-in feature to _zero_ data. Rust _does_ automatically drop references to data on the heap. Zeroing data is fairly trivial, whereas in go, the issue is non-trivial (afaiu).

  use std::ptr;
  
  struct SecretData {
      data: Vec<u8>,
  }
  
  impl Drop for SecretData {
      fn drop(&mut self) {
          // Zero out the data
          unsafe {
              ptr::write_bytes(self.data.as_mut_ptr(), 0, self.data.len());
          }
      }
  }

steveklabnik

20 days ago

1 reply

Zeroing memory is trickier than that, if you want to do it in Rust you should use https://crates.io/crates/zeroize

https://pkg.go.dev/runtime#SetFinalizer

20 days ago

He was pretty close tbf - you just need to use `write_volatile` instead of `write_bytes`.

rurban

19 days ago

Zeroing data does not protect from sidechannel exfiltration. You really need to mfence it also. The zeroize crate also doesn't help there, it only does protect from wrong compiler dead block elimination.

teeray

20 days ago

1 reply

[delayed]

tjpnz

19 days ago

More likely they'll use it and end up with a false sense of security.

Someone

20 days ago

2 replies

[delayed]

asmor

20 days ago

2 replies

My guess is that it just uses the existing finalizers and ensures the memory is overwritten.

tapirl

19 days ago

SetFinalizer is deprecated by AddCleanup: https://pkg.go.dev/runtime#AddCleanup

AddCleanup might be too heavy, it is cheaper to just set a bit in the header/info zone of memory blocks.

18 days ago

Same here, though I think that the GC will do a full run for all "secure" data that is clear regardless of GC timing.

18 days ago

My guess is that the GC will eagerly wipe+free "secret" memory first and completely on the pass as opposed to deferring to the next GC cycle as is the normal use that may otherwise happen on longer GC cycles to keep overall performance characteristics happy.

This is just my own speculation, I don't know the internals of Go beyond a few articles I've read over the years. Somewhat more familiar with C#, JS and Rust, and even then I'll sometimes confuse certain features between them.

robmccoll

20 days ago

1 reply

This is interesting, but how do you bootstrap it? How does this little software enclave get key material in that doesn't transit untrusted memory? From a file? I guess the attacker this is guarding against can read parts of memory remotely but doesn't have RCE. Seems like a better approach would be an explicitly separate allocator and message passing boundaries. Maybe a new way to launch an isolated go routine with limited copying channels.

20 days ago

> How does this little software enclave get key material in that doesn't transit untrusted memory?

Linux has memfd_secret ( https://man7.org/linux/man-pages/man2/memfd_secret.2.html ), that allow you to create a secure memory region that can't be directly mapped into regular RAM.

cafxx

20 days ago

1 reply

I find this mildly infuriating:

    func Encrypt(message []byte) ([]byte, error) {
        var ciphertext []byte
        var encErr error
    
        secret.Do(func() {
            // ...
        })
        
        return ciphertext, encErr
    }

As that suggests that somehow for PFS it is critical that the ephemeral key is zeroed out, while the plaintext message - i.e. the thing we want PFS for - is totally fine to be outside of the whole `secret` machinery, and remain in memory potentially "forever".

19 days ago

PFS is just one of many desirable properties, and getting access to plaintext is just one of many kinds of threat. Getting access to ephemeral keys and other sensitive state can enable session hijacking. It's still not a great example, though, because it doesn't illustrate that threat model either.

jabedude

20 days ago

1 reply

How much control does a language runtime have over whether the memory controller actually zeros out physical memory? My guess is very little on consumer hardware but happy to be wrong

circuit10

20 days ago

If it's no longer readable by software that's at least far better than no protection, I imagine

Thorrez

19 days ago

1 reply

> If an offset in an array is itself secret (you have a data array and the secret key always starts at data[100]), don't create a pointer to that location (don't create a pointer p to &data[100]). Otherwise, the garbage collector might store this pointer, since it needs to know about all active pointers to do its job. If someone launches an attack to access the GC's memory, your secret offset could be exposed.

That doesn't make sense to me. How can the "offset in an array itself" be "secret" if it's "always" 100? 100 isn't secret.

stingraycharles

19 days ago

1 reply

I think it may be about the absolute memory address to the secret being stored, which may itself be exploitable. That’s my hunch at least, but I’m not a security expert.

The example could probably have been better phrased.

Thorrez

18 days ago

I don't see how a single absolute address could be exploitable based on my understanding of the threat model of this library. The library is in charge of erasing the secrets from memory. Once the secrets have been erased from memory, what would an attacker gain from knowing an absolute address?

The only thing that makes sense to me is a scenario with a lot of addresses. E.g. if there's an array of 256 integers, and those integers themselves aren't secret. Then there's a key composed of 32 of those integers, and the code picks which integers to use for the key by using pointers to them. If an attacker is able to know those 32 pointers, then the attacker can easily know what 32 integers the key is made of, and can thus know the key. Since the secret package doesn't erase pointers, it doesn't protect against this attack. The solution is to use 32 array indexes to choose the 32 integers, not 32 pointers to choose the 32 integers. The array indexes will be erased by the secret package.