Rationale

Memory erasure on shutdown is currently buggy. Sdmem and linux memtest implementation are failing. But a program exist that is actually dedicated at memory testing, and that has thus access to most (if tot all) available memory: memtest86+. This is a research using a modified memtest86+ to erase memory.

Adapting memtest

We started from memtest86+ version 4.20 available at http://www.memtest.org/download/4.20/memtest86+-4.20.tar.gz.

Executing a single test

We patched memtest86+ to execute a single test, and then reboot. We choosed test #1 "Address test, own address" but quicker one could probably be choosen.

The corresponding patchset:

0001-Do-only-one-test-and-hopefully-reboot.patch

Nice display

We patched memtest86+ to only display "Memory wipe, please wait..." with a progress bar, and then report success.

The corresponding patchset:

A screenshot:

Unfortunately, this is useless as when kexec launches memtest from Tails, the video mode in not native and nothing is displayed.

Left to do

  • Actually halt the machine
  • Choose or write a quicker test
  • Disable keyboard shortcuts

Integreating into Tails

We patched tails experimental to kexec on our modified memtest86+ instead of on linux on shutdown. The memtest binary built on Tails from upstream with our patches applied is correctly recognised by kexec. Note that we didn't achive to kexec on a memtest built on another OS.

The corresponding patchset:

Testing procedure

We launched the system to test with qemu or virtualbox. We dumped the ram just before shutdown, then after machine halt.

With qemu, one should start the system to test with -no-shutdown, e.g.:

qemu -enable-kvm -snapshot -m 2048 -no-shutdown -cdrom tails-i386-experimental-0.12.1-20120816.iso

We launched 4 fillram processes in parallel, whatching them with top and waiting for them to be killed by oom killer. At least one terminated with MemoryError. Fillram fills the RAM with the pattern wipe_didnt_work\n.

Then we dumped RAM with the following command in qemu console (CTRL+ALT+2). Note that the end address must be adapted to the amount of RAM available in the VM:

pmemsave 0 0x80000000 before.dump

Then shutdown Tails pressing the red button, and once the machine halted, dump the RAM again:

pmemsave 0 0x80000000 after.dump

Then we count the occurences of the pattern in the memory dump:

grep -c wipe_didnt_work before.dump
grep -c wipe_didnt_work after.dump

Testing results

Machine             RAM         Patterns                %patterns               %wipe
                                before wipe after wipe  before wipe after wipe

Tails sdmem+kexec   2147483648   1772984624    17168336 82,561%     0,799%      99,032%

Tails memwipe+kexec 2147483648   1755221472         240 81,734%     <0,001%     >0,999%

Tails sdmem+kexec   8589934592   3243648688  1128607952 37,761%     13,139%     65,206%

Tails memwipe+kexec 8589934592   3372274816         240 39,258%     <0,001%     >0,999%

Units: bytes

Resolution: 16 bytes accuacy

Memwipe erase memory better than current Tails implementation. There is a remaining area of 240 bytes that does not get erased.

Conclusion

For the memory wipe approches we know about, this one is the most efficient we experimented.

Pros:

  • We have something that works better than any other methods we know about.

Cons:

  • There is still a small amount of memory not wiped.
  • We have to maintain a patchset. However there is only one memtest86+ release by year since 2009.
  • There is no output on screen, and it may be difficult to fix.