Igris Blog
Emulating Memory Sealing in Linux - A Deep Dive

Emulating Memory Sealing in Linux - A Deep Dive

Igris Igris
November 5, 2024
6 min read
Linux Syscall
Next Post Kernel Diaries - Introduction
Previous Post Understanding KASan
Table of Contents

Introduction

As systems grow more complex and adversaries more sophisticated, protecting sensitive data in memory is an ongoing challenge for security practitioners. While the Linux kernel has introduced various security mechanisms over the years, memory sealing remains a highly desired feature for preventing unauthorized modifications to sensitive data. Although a native mseal syscall hasn’t landed in the Linux kernel yet, we can still achieve similar functionality by leveraging existing Linux syscalls.

In this post, we’ll explore a workaround for memory sealing in Linux using memfd_create and fcntl seals. By following this approach, you can create a protected memory region, apply restrictions, and lock down access to prevent tampering with sensitive information. Let’s dive in!

Understanding Memory Sealing

Memory sealing is a concept used to mark a specific memory region as immutable or restricted in its usage, essentially “locking” the data in place to prevent any unauthorized changes. In security-focused applications, this feature is invaluable for protecting sensitive data, such as cryptographic keys, credentials, and other critical secrets, by ensuring they cannot be modified after being set.

Although Linux doesn’t natively support memory sealing, we can emulate similar behavior by using:

  • memfd_create: A syscall that creates an anonymous memory-backed file.
  • Seals (fcntl): Additional restrictions that can be applied to the memory-backed file, disallowing certain operations.

With memfd_create and seals, we can create a memory region that is writable at first but then apply restrictions that “seal” it, preventing future modifications.

Walkthrough: Emulating mseal with memfd_create and Seals

Let’s put together a proof-of-concept (PoC) program that demonstrates memory sealing in Linux. Our goal is to:

  1. Allocate a memory-backed file that we can seal against writes.
  2. Map the memory to our process’s address space.
  3. Write sensitive data to the memory region.
  4. Seal the memory with F_SEAL_WRITE, preventing future writes.
  5. Attempt a modification after sealing to verify that the restriction is enforced.

This PoC simulates the effect of a hypothetical mseal syscall, providing insight into how memory protection can be achieved on Linux today.

Step-by-Step Guide to the PoC Program

Let’s go through each part of the program and how it works.

Step 1: Creating a Memory-Backed File

First, we use memfd_create to create an anonymous file in memory. By specifying MFD_ALLOW_SEALING, we can apply additional restrictions on this memory-backed file.

#include <sys/mman.h>
#include <unistd.h>
#include <sys/memfd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main() {
    size_t page_size = sysconf(_SC_PAGESIZE);
    int memfd = memfd_create("sealed_memory", MFD_ALLOW_SEALING);
    if (memfd == -1) {
        perror("memfd_create");
        return 1;
    }
 
    // Set the file size to one page for memory mapping
    if (ftruncate(memfd, page_size) == -1) {
        perror("ftruncate");
        close(memfd);
        return 1;
    }

Here, we call memfd_create with MFD_ALLOW_SEALING, enabling us to add seals to this file later. We use ftruncate to size the file to one page, allowing us to map it conveniently.

Step 2: Mapping the Memory Region

Next, we map the memory-backed file to our process’s address space, with both PROT_READ and PROT_WRITE permissions, so we can write data initially.

    void *mem = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_SHARED, memfd, 0);
    if (mem == MAP_FAILED) {
        perror("mmap");
        close(memfd);
        return 1;
    }
    printf("Memory allocated at %p\n", mem);

With mmap, we map the memory region and confirm the memory location. This is where our sensitive data will reside.

Step 3: Writing Sensitive Data

We initialize this memory region with a string representing sensitive data. This data will soon be protected by the seal.

    strcpy((char*)mem, "Sensitive Data");
    printf("Original memory contents: %s\n", (char*)mem);

At this point, the memory is writable, and our sensitive data is stored within it.

Step 4: Sealing the Memory Region

To seal the memory region, we use fcntl with the F_ADD_SEALS command, applying the F_SEAL_WRITE seal. This prevents any further writes to the memory region.

    if (fcntl(memfd, F_ADD_SEALS, F_SEAL_WRITE) == -1) {
        perror("fcntl - sealing");
        munmap(mem, page_size);
        close(memfd);
        return 1;
    }
    printf("Memory sealed.\n");

Once sealed, any attempt to write to this memory will be blocked.

Step 5: Attempting to Modify Sealed Memory

Now, let’s attempt to overwrite the sealed memory and observe whether the seal prevents the modification.

    printf("Attempting to modify sealed memory...\n");
    strcpy((char*)mem, "Modified Data");
 
    // Verify if the contents have changed
    printf("Memory contents after modification attempt: %s\n", (char*)mem);

If the seal is working, the original “Sensitive Data” string should remain unchanged, as the seal prevents writes to this memory region.

Step 6: Clean-Up

Finally, unmap the memory and close the file descriptor to clean up resources.

    munmap(mem, page_size);
    close(memfd);
    printf("Memory unmapped.\n");
    return 0;
}

Putting It All Together

Here’s the complete PoC program:

#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <sys/memfd.h>
#include <fcntl.h>
 
int main() {
    size_t page_size = sysconf(_SC_PAGESIZE);
    int memfd = memfd_create("sealed_memory", MFD_ALLOW_SEALING);
    if (memfd == -1) {
        perror("memfd_create");
        return 1;
    }
 
    if (ftruncate(memfd, page_size) == -1) {
        perror("ftruncate");
        close(memfd);
        return 1;
    }
 
    void *mem = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_SHARED, memfd, 0);
    if (mem == MAP_FAILED) {
        perror("mmap");
        close(memfd);
        return 1;
    }
 
    printf("Memory allocated at %p\n", mem);
    strcpy((char*)mem, "Sensitive Data");
    printf("Original memory contents: %s\n", (char*)mem);
 
    if (fcntl(memfd, F_ADD_SEALS, F_SEAL_WRITE) == -1) {
        perror("fcntl - sealing");
        munmap(mem, page_size);
        close(memfd);
        return 1;
    }
    printf("Memory sealed.\n");
 
    printf("Attempting to modify sealed memory...\n");
    strcpy((char*)mem, "Modified Data");
    printf("Memory contents after modification attempt: %s\n", (char*)mem);
 
    munmap(mem, page_size);
    close(memfd);
    printf("Memory unmapped.\n");
 
    return 0;
}

Expected Output

When you compile and run the program, you should see:

Memory allocated at 0x7f8472b1d000
Original memory contents: Sensitive Data
Memory sealed.
Attempting to modify sealed memory...
Memory contents after modification attempt: Sensitive Data
Memory unmapped.

Conclusion

While Linux doesn’t have a dedicated mseal syscall, this PoC demonstrates how you can leverage memfd_create and fcntl seals to achieve similar protection for sensitive data in memory. By using F_SEAL_WRITE, we effectively prevent modifications after the initial write, making this a useful tool for security-focused applications that require memory integrity.

This approach provides a strong foundation for protecting sensitive data on Linux, even in the absence of a built-in memory sealing mechanism.

Next Post Kernel Diaries - Introduction
Previous Post Understanding KASan