问题描述
我正在使用C ++应用程序,该应用程序在RAM中保留了一些用户秘密密钥.此秘密密钥是高度敏感的& ;;我必须将对他们进行任何形式的攻击的风险降到最低.
我正在使用字符数组来存储这些键,我已经阅读了一些有关在CPU寄存器甚至CPU缓存中存储变量的内容(即使用C ++ register
关键字),但是似乎无法保证强制应用程序将其某些变量存储在RAM之外的方法(我的意思是在CPU寄存器或缓存中).
有人可以建议这样做的好方法还是可以提出其他解决方案以将这些密钥安全地保存在RAM中(我正在寻找与操作系统无关的解决方案)?
I'm working on a C++ application which is keeping some user secret keys in the RAM. This secret keys are highly sensitive & I must minimize risk of any kind of attack against them.
I'm using a character array to store these keys, I've read some contents about storing variables in CPU registers or even CPU cache (i.e using C++ register
keyword), but seems there is not a guaranteed way to force application to store some of it's variables outside of RAM (I mean in CPU registers or cache).
Can anybody suggest a good way to do this or suggest any other solution to keep these keys securely in the RAM (I'm seeking for an OS-independent solution)?
推荐答案
您的意图可能很崇高,但也被误导了.简短的答案是,在通用系统(即商品处理器/主板和通用O/S)上,实际上没有任何方法可以做您想做的事情.即使您可以某种方式强制将内容仅存储在CPU上,也仍然没有帮助.只是个小麻烦.
Your intentions may be noble, but they are also misguided. The short answer is that there's really no way to do what you want on a general purpose system (i.e. commodity processors/motherboard and general-purpose O/S). Even if you could, somehow, force things to be stored on the CPU only, it still would not really help. It would just be a small nuisance.
更一般而言,关于保护内存的问题,有一些特定于操作系统的解决方案,它们指示不应将块内存写出到页面文件中,例如在Windows上的功能.如果您要进行加密并在该内存中保存敏感数据,则值得使用.
More generally to the issue of protecting memory, there are O/S specific solutions to indicate that blocks memory should not be written out to the pagefile such as the VirtualLock
function on Windows. Those are worth using if you are doing crypto and holding sensitive data in that memory.
最后一件事:我要指出的是,我担心的是您对 register
关键字及其安全隐患有基本的误解;请记住,这只是一个提示,它不会-实际上不能-强制将任何内容实际存储在寄存器或其他任何地方.
One last thing: I will point out that it worries me is that you have a fundamental misunderstanding of the register
keyword and its security implications; remember it's a hint and it won't - indeed, it cannot - force anything to actually be stored in a register or anywhere else.
现在,就其本身而言,这并不是什么大不了的事,但这是一个令人担忧的问题,因为这表明您对安全工程或风险分析的掌握并不充分,如果您对设计或实施现实世界的加密解决方案.坦白地说,您的帖子(至少对我来说)表明您还没有准备好架构或实现这样的系统.
Now, that, by itself, isn't a big deal, but it is a concern here because it indicates that you do not really have a good grasp on security engineering or risk analysis, which is a big problem if you are designing or implementing a real-world cryptographic solution. Frankly, your posts suggests (to me, at least) that you aren't quite ready to architect or implement such a system.
这篇关于如何将c ++变量安全地保留在RAM中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!