Is it possible to read the contents of the swap file/partition?

[Lucap]

With the current meltdown of all these security issues of being able to read the data traffic between the Ram and CPU is it not possible that something similar could be done to read the data content of the swap file?

If that made any sense?

[deepakdeshp]

AFAIK I dont think swap will give any readable data..

[xenopeek]

If you can't trust the people that have unsupervised access to your computer while it is powered off you should already be using full disk encryption. That will also encrypt swap. It's much easier to just access the files on your disk than try and get something meaningful information from swap.

If you're talking about while you're logged in to the system, you're already logged in to the system. Any malware you run will run as you so already have access to your files and processes. Swap is just a big pool of dumped memory pages of which only the kernel knows which are used and what process they belong to.

[Faust]

.... read the data content of the swap file?
If that made any sense?

Oh yeah !
It makes perfect sense , especially if you can read a hexdump .

I'm not joking here , and long ago I worked on a joint C++ project with someone who could
He came to ask if I would "pad" some of the output of my code , and he knew exactly where he needed it done ,
but he had never seen any of my source code !

I was mighty impressed .

For me , the more troubling aspect of this CPU mess is the potential to break the previously assumed "isolation " of VMs
And I'm thinking in particular about the Xen hypervisor ( and also the Qubes OS project ) .

[xenopeek]

For me , the more troubling aspect of this CPU mess is the potential to break the previously assumed "isolation " of VMs
And I'm thinking in particular about the Xen hypervisor ( and also the Qubes OS project ) .

You'd have to run malware on the guest OS that specifically targets these bugs. For most people the only untrusted code they run is in their web browsers: JavaScript or Flash on websites. You should have disabled Flash years ago if you are concerned about security. Major web browsers have already, or will have soon, implemented mitigation that will make it so JavaScript can't use these bugs for attacks.

[Hoser Rob]

.... read the data content of the swap file?
If that made any sense?

Oh yeah !
It makes perfect sense , especially if you can read a hexdump .

I'm not joking here , and long ago I worked on a joint C++ project with someone who could
He came to ask if I would "pad" some of the output of my code , and he knew exactly where he needed it done ,
but he had never seen any of my source code !

I was mighty impressed ....

I'd be too, you see people like that sometimes. There used to be a guy around here who could read APL like that at a glance.

[Lucap]

Either online or offline i was wondering if the swap file was a potential source for grabbing banking details or login passwords that has yet to be exploited if the same technique was applied to reading the unencrypted traffic between the CPU and Swap file rather than the current CPU and Ram exploit.

[xenopeek]

Going back to the exact same answers:

- A powered off system is not secure unless you're using disk encryption. Disk encryption also encrypts swap. Without disk encryption anybody with physical access to your computer has root and can already access all the files on it. Thus no need to go dig through swap.

- Running malware on a powered on system runs it as you. The malware can access all information you can access (so if you can access your bank details, so can the malware). The malware is also not going to dig through swap because it already has full access to your information.

[Faust]

You'd have to run malware on the guest OS that specifically targets these bugs. For most people the only untrusted code they run is in their web browsers: JavaScript or Flash on websites. You should have disabled Flash years ago if you are concerned about security. Major web browsers have already, or will have soon, implemented mitigation that will make it so JavaScript can't use these bugs for attacks.

Yes , of course !
You are correct on those points .

And malicious code via the web browser is obviously a major threat vector ( but it's far from being the only one )

And yes , I take security very seriously ( it helps pay the bills and puts food on the table ) .
Thankfully , the Xen Project and others are taking this issue as seriously as myself .

@Lucap raised a highly valid point , and I'm keen to hear from any members who can share their experience .

BTW , the tips on JavaScript and Flash made me chuckle .... thanks !
... I can almost remember when I first looked into cross-site scripting exploits ....

[thx-1138]

...the point here is exactly as xenopeek described:

The malware is also not going to dig through swap because it already has full access to your information.

The swap file does contain data that could possibly be useful for an attacker to extract various info about you. Reconstructing / retrieving them in a meaningful manner however might or might not be possible. Eg. google for 'forensics pagefile' and the likes.

Either online or offline i was wondering if the swap file was a potential source for grabbing banking details or login passwords that has yet to be exploited if the same technique was applied to reading the unencrypted traffic between the CPU and Swap file rather than the current CPU and Ram exploit.

Offline. Eg. say in case your laptop was stolen. Online, they 'just' have to read / write to the appropriate memory addresses. However, even in such case (stolen laptop), chances are it would probably be easier to just scrub the hard disk for older write operations than try to reconstruct actually meaningful data from the swapfile (however, do see xenopeek's note above for swap encryption). Put it simply, it's only of secondary concern: if an attacker somehow got physical access to the machine itself, (with encryption or not / with swapfile or not), you change every pass you remember ever having used on that computer...

[Lucap]

With the amount of time , money and effort that has been spent on side channel exploits over the last few years including government laboratories with Air gapping then why hasn't the same amount of effort been spent on exploiting the swap space considering it survives reboots?

Faust seems to be the only person that understands what i'm trying to get at.

[thx-1138]

Lucap, that i couldn't possibly answer...('cause then i'd have to silence you...ssshhhhh...)

Ok, on a more serious note now. Maybe i don't understand exactly your question in the first place.
However, i think there is a certain 'confusion' here in regards to what memory is / how it gets exploited, and what pagefile / swap is. Swap is NOT memory. It's hard disk allocated to behave like 'slower memory' from an end-users' view, but by the end of the day it's absolutely nothing more than a file. Pure good ole hard disk, nothing more or less (hence the reason it can be persistant & survive reboots in contrast to memory that is volatile).

In a certain sense...certainly not technically accurate, let's just call it poetic licence...you can think of the pagefile as a memory dump 'trash can'. You open a 10mb text on Xed which in turn needs 30mb to run. It might be that 3 mb of the mapped text ends up in the pagefile, and 12 of the Xed's mapped libraries. Then another process does the same, quite likely partially overwriting those contents and so on and so on. The end result contains for the most part info related to how the processes and data were mapped into memory. What can someone learn about you & your habits by carefully examining the trash that you pick out every night? Quite a few (however, chances are you won't have thrown away 'as is' your bank account's details that you had written in a sticky card.) Still, you never know what you might pick up (and hence the reason that you often see more concerned people recommending to turn off the swap, having it cleared up upon shutdown etc etc)...

If i was to continue the...poetic licence comparison, a memory exploit is more like say you ordered pizza, the attacker intercepted the call, and showed up in your 'address' / door as the pizza boy. The sequence of events as the process gets 'executed' is subverted. You expect x to happen, but instead y is what takes place. Sometimes you are instantly aware of it (the attacker pulls the gun in your face straight away as you open the door), sometimes not (the pizza is instead...poisoned, and you understand what happened only afterwards when you wake up).

There is no need to spend 'the same amount of effort been spent on exploiting the swap space considering it survives reboots' for swap, simply because it's 'just' a file containing dumped memory plus data. Any average programmer can open it in a debugger / disassembler and start analyzing it, and i assume any average user could also do it with a more dedicated / 'specialized' forensics application. Other than that, it's as much remotely exploitable as pretty much any other file in your hard disk: if someone already hacked your machine, assuming he/she didn't found what he/she was after, yes, he/she could possibly transfer your...whole swap file to his/her server to further analyze it in case some password can be scrubbed out of it...extremely unlikely scenario for numerous reasons (there are other ways that he/she could trick you then to reveal your passwords, and way more guaranteed to work...eg. a backdoored terminal / gksudo etc etc)...

Hopefully i managed to explain the above in simple terms...

[Lucap]

http://blog.sevagas.com/?Digging-passwo ... Linux-swap

https://github.com/sevagas/swap_digger

swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.

[xenopeek]

And? If you can run that tool the attacker already either has access to your live system, meaning they can access everything you can, or it is from your powered off system in which case you should have been using disk encryption anyway.

[Lucap]

And?

I finally got a definitive answer that yes the swap file can be read but not a reason why it's ignored as a side channel attack?

Even Nvidia has just patched against side channel traffic so what difference does it make if a CPU is exploited to read it's kernel traffic to ram or hard disk?

[xenopeek]

what difference does it make if a swap is exploited if you can already read the files from disk?

[Lucap]

HUH! <headscratch>

Then why bother fixing any current side channel exploits then as it doesn't just magically appear on disk when it's source is the original kernel paging that is just re-directed to disk rather than ram?