diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-04-15 15:24:12 -0700 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-04-15 15:24:12 -0700 |
| commit | 4695dac36f96ccc91f53fa4bff5194bbbab45fff (patch) | |
| tree | e6fb502c128f3e30b71483dc9f65b92f1dea766e | |
| download | secret-memory-preloader-4695dac36f96ccc91f53fa4bff5194bbbab45fff.tar.gz | |
Initial commit (FOSDEM demo)
| -rw-r--r-- | Makefile | 15 | ||||
| -rw-r--r-- | openssl_test.c | 21 | ||||
| -rw-r--r-- | preload.c | 65 |
3 files changed, 101 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..d752e98 --- /dev/null +++ b/Makefile @@ -0,0 +1,15 @@ +LIBS=-lcrypto + +all: preload.so openssl_test + +clean: + rm -f *.o *.so openssl_test + +%.so: %.c + gcc -g -shared -fPIC -o $@ $^ + +%: %.o + gcc -g -o $@ $^ $(LIBS) + +%.o: %.c + gcc -g -c $^ diff --git a/openssl_test.c b/openssl_test.c new file mode 100644 index 0000000..92e04de --- /dev/null +++ b/openssl_test.c @@ -0,0 +1,21 @@ +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include <openssl/crypto.h> + +int main(int argc, const char *argv[]) +{ + char *secure_ptr = OPENSSL_malloc(256); + char *insecure_ptr = malloc(256); + + strcpy(secure_ptr, "this is a secret"); + strcpy(insecure_ptr, "another secret"); + + printf("secure_ptr holds \"%s\"\n", secure_ptr); + printf("insecure_ptr holds \"%s\"\n", insecure_ptr); + + pause(); + + exit(0); +} diff --git a/preload.c b/preload.c new file mode 100644 index 0000000..cae2233 --- /dev/null +++ b/preload.c @@ -0,0 +1,65 @@ +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> + +#include <sys/ioctl.h> +#include <sys/mman.h> +#include <sys/syscall.h> +#include <sys/types.h> + +#include <linux/memfd.h> + +/* bits to get memfd_create to work */ +#define MFD_SECRET 0x0008U +#define MFD_SECRET_IOCTL '-' +#define MFD_SECRET_EXCLUSIVE _IOW(MFD_SECRET_IOCTL, 0x13, unsigned long) +#define MFD_SECRET_UNCACHED _IOW(MFD_SECRET_IOCTL, 0x14, unsigned long) + +/* glibc should have defined this by now, sigh */ +static inline int memfd_create(const char *name, unsigned int flags) +{ + return syscall(__NR_memfd_create, name, flags); +} + + + +#define PAGE_SIZE 4096 + +static void *secure_page; + +static void check(int cond, const char *str) +{ + if (cond) { + perror(str); + exit(1); + } +} + +void __attribute__ ((constructor)) preload_setup(void) +{ + int fd = memfd_create("secure", MFD_CLOEXEC|MFD_SECRET); + int ret; + void *p; + + check(fd < 0, "memfd_create"); + + ret = ioctl(fd, MFD_SECRET_EXCLUSIVE); + check(ret < 0, "ioctl"); + + ret = ftruncate(fd, PAGE_SIZE); + check(ret < 0, "ftruncate"); + + p = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + check(p == MAP_FAILED, "mmap"); + + secure_page = p; +} + +void *CRYPTO_malloc(size_t size, const char *file, int line) +{ + printf("in crypto malloc from %s:%d\n", file, line); + if (size < PAGE_SIZE) + return secure_page; + else + return NULL; +} |