Jaa


Clearing the pagefile to wipe sensitive data

The other day an old issue came up again: how do we mitigate the threat of sensitive data in page files. Page files are basically an on-disk repository of data that was in memory but not needed right at this moment. The system will page the data to disk, into the pagefile, to allow apps to use more memory than what the system really has.

This obviously can cause a security problem if an app stores sensitive data in memory and that piece of memory gets spooled to disk. If so, a bad guy can read it from there. This threat is not new and affects all operating systems that use virtual memory. However, how big a threat is it really? The last time this came up while I was talking to IT admins, I painted the following scenario:

If you are really worried about bad guys

1. Stealing a laptop that some random employee failed to protect physically while in the “security” line at the airport
2. Pulling the hard disk out of it
3. Mounting it in a different computer
4. Copying a 2GB pagefile off it
5. Opening that page file in a hex editor and scouring through it on the off-chance that some random, poorly written, third party application:
 a. Uses sensitive information
 b. Keeps it in memory for any length of time
 c. Does not properly mark that memory as non-pageable
 d. Does not encrypt it
 e. And the system just happens to page that particular page of memory to disk
6. Finding this password
7. Somehow figuring out that
 a. It’s a password
 b. It’s valid on system foo
 c. For the user bar
8. Managing to get access to the interface for system foo
9. Allowing the bad guy to log on to system foo using that stolen password

Then you most definitely should worry about this. If so, you should set the group policy to "Shutdown: clear virtual memory pagefile". However, unless you also disable hibernation (which also writes memory to disk) and ensure that users always shut their system down, it will not help. That latter part, always shutting the system down, is a bit of an issue. Wiping the page file adds an additional 15 minutes or so to the time it takes to shut down the system once you tell it to wipe the pagefile; all while listening to the flight attendant yelling “sir, I told you 12 minutes ago to shut that thing down, we have passed an altitude where portable electronic devices may no longer be used, you are jeopardizing the safety of everyone on board and we will have you arrested as soon as we manage to land this thing, which, by the way, we cannot do until you shut your computer off!”

Frankly, in most cases, if you are sufficiently worried about potentially sensitive data in page files you probably should rethink mobile computing alltogether. Maybe having people carrying around laptops with sensitive data on them really is not for you at this point?

It really boils down to risk management. For most of us, the risk probably does not outweigh the disadvantages of turning this setting on. Of course, there are other options. One is to not use a page file. You can turn it off entirely in Windows XP. On a system with a lot of memory this seems to not cause a lot of problems. I have not had one on my laptop for quite some time since I have 2GB of RAM, but  little spare room on the hard drive for the page file. This is not really a recommended configuration, but it works fine in some cases.

A better option is coming with Windows Vista. If you get a system with a TPM 1.2 chip you can enable the Bitlocker feature which encrypts the whole hard drive. At this point everything on the drive is encrypted, including any potential clear text passwords in the page file. This is going to be very handy and obviously deals with a whole slew of other situations as well.

Comments