Secmalloc - a secure memory library

by David Shaw


secmalloc-0.5.tar.gz.sig (signed by my key 0x99242560)

What is secure memory?

Most modern systems have some notion of swap, where the contents of memory can be written to disk, freeing up the memory for other purposes. This allows the system a lot of flexibility in managing its memory. Infrequently used data is a prime candidate for swapping to disk, thus freeing up the real memory for more useful purposes. This can be a problem when using cryptography as there is a danger of keys or other sensitive data ending up in swap where (eventually) it may fall into the wrong hands. Secmalloc provides a secure version of the common 'malloc' interface for managing memory. All memory allocated by secmalloc is locked, so that it cannot be swapped out.

Basic instructions

To use the library, create a structure of type struct secmalloc_config, fill it in, and pass it to secmalloc_init(). After that, you can call:
 void *secmalloc(size_t size);               /* use like malloc()  */
 void *seccalloc(size_t nmemb,size_t size);  /* use like calloc()  */
 void secfree(void *ptr);                    /* use like free()    */
 void *secrealloc(void *ptr, size_t size);   /* use like realloc() */
Do not pass a malloc()-ed pointer to secfree(), and similarly do not pass a secmalloc()-ed pointer to free().

More detailed documentation for the different fields of struct secmalloc_config are in the secmalloc.h header file, and there are several working code examples in the tests/ directory.

Locking by non-root users

On some platforms, only the root user can lock memory, but programmers obviously don't always want their programs to run as root. Secmalloc is designed to be able to handle this via the "initial_pools" option to secmalloc_init(). Secmalloc will allocate that number of locked memory pools immediately instead of allocating them as memory is requested. After secmalloc_init() returns, give up the setuid privileges. For example:
  setuid(xxxxx);  <---- give up setuid root.


Probably the easiest way to link to secmalloc is via pkg-config. From the command line:
  gcc program.c `pkg-config --cflags --libs secmalloc`
Or via autoconf:
This defines @SECMALLOC_CFLAGS@ and @SECMALLOC_LIBS@ appropriate for use in your Makefiles. You can also base whatever logic you desire on $HAVE_SECMALLOC.


Tested (in that it builds and passes all self tests) on: This library was originally a good bit more complex in that it would try multiple ways to mmap() and round malloc()ed blocks of memory to fall on page boundaries. In testing, it became clear that this was not really necessary in practice, as I was not able to find a platform that the current allocation and locking methods did not work. I'm releasing this library without the extra complexity as a bit of an experiment. If you find a platform that does not work (i.e. 'make check' fails), do let me know, and I'll do my best to make it work there as well.

Universal Binaries on Apple OS X

You can build a universal ("fat") library that will work on both PPC and Intel Macs with:
./configure CFLAGS="-arch ppc -arch i386" --disable-dependency-tracking
Note that if you are doing the build on a OS X 10.4 (Tiger) PPC machine you may need to add the following to those CFLAGS:
  "-isysroot /Developer/SDKs/MacOSX10.4u.sdk"
The additional isysroot is not necessary on Intel Tiger boxes, or any Leopard boxes.


Secmalloc ships with a RPM spec file. You can build the RPMs with the usual "rpmbuild -ta /path/to/the/secmalloc/tarball.tar.gz".