Shrouded, secure memory management in Rust
Hi HN! I've been building a project that handles high-value credentials in-process, and I wanted something more robust than just zeroing memory on drop. A comment on a recent Show HN[0] made me realize that awareness of lower-level memory protection techniques might not be as widespread as I thought. The idea here is to pull out all the tools in one crate, with a relatively simple API. * mlock/VirtualLock to prevent sensitive memory from being swapped (eg the KeePass dump) * Core dump exclusion using MADV_DONTDUMP on Linux & Android * mprotect to minimize exposure over time * Guard pages to mitigate under/overflows After some battle testing, the goal here is to provide a more secure memory foundation for things like password managers and cryptocurrency wallets. This was a fun project, and I learned a lot - would love any feedback! [0] - https://news.ycombinator.com/item?id=47073430
- Android
- FinTech
- MacOS
✨ AI Summary
Shrouded is a Rust crate designed to enhance the security of in-process memory management for sensitive data. It leverages low-level memory protection techniques to prevent swapping, exclude data from core dumps, minimize exposure over time, and mitigate overflows.
Best For
Developers of password managers, Developers of cryptocurrency wallets, Developers handling high-value credentials in-process
Why It Matters
Provides a more robust and secure memory foundation for applications handling sensitive data by implementing advanced memory protection techniques.
Key Features
- Prevents sensitive memory from being swapped using mlock/VirtualLock.
- Excludes memory from core dumps on Linux and Android via MADV_DONTDUMP.
- Minimizes memory exposure over time using mprotect.
- Mitigates under/overflows with guard pages.
Use Cases
- A cryptocurrency wallet developer can use Shrouded to protect private keys in memory, preventing them from being written to disk via swap files or included in system crash dumps, thereby enhancing security against physical access attacks.
- A password manager application can leverage Shrouded to safeguard user credentials while they are actively being used, ensuring that sensitive data is not exposed through memory inspection or accidental logging.
- A security-conscious developer building an in-memory database for highly sensitive information can integrate Shrouded to implement granular memory protection, reducing the risk of data leakage through system vulnerabilities.