Is it worth porting the Tails magic to Whonix / Kicksecure?
My post is presupposing that one has read this page beforehand:
https://tails.boum.org/contribute/design/memory_erasure/
Tails has a test for this:
https://0xacab.org/tails/tails/-/blob/master/features/erase_memory.feature
^ that is a test definition file but pretty cool and human readable.
The test concludes with:
Then I find very few patterns in the guest’s memory
Which means the definition (the actual not so easily readable implementation of that human readable summary in source code) has some acceptance for leftover memory traces. Here it is:
https://0xacab.org/tails/tails/-/blob/master/features/step_definitions/erase_memory.rb
Relevant part:
max_coverage = 0.008
I.e. less then 0.008% of the pattern which the test wrote can be found.
Is this 0.008% important or anything else not covered by the RAM wipe?
See also this for leftovers in RAM that cannot be wiped by Tails implementation:
https://web.archive.org/web/20180628102336/https://mailman.boum.org/pipermail/tails-dev/2017-January/011134.html
Some things such as importantly, full disk encryption (FDE) is handled by the kernel. Probably user space couldn’t wipe the kernel memory holding the FDE key (unless there is a kernel API for that which would be related but separate).
On that view, wiping RAM might make sense for a live system such as Tails or Whonix / Kicksecure Host Live Mode (specifically when not using encrypted persistence) but would it also make sense for an FDE Whonix-Host or FDE Kicksecure-Host?
Without actual memory forensics we would not really know how severe any RAM wipe leftovers would be. If it includes the FDE key, then wiping the rest was worth little.
Even if RAM wipe by Linux kernel without firmware support would not be complete it could still per perfect and it could certainly better than anything doable in user space such as the Tails implementation. The kernel can certainly has the power to wipe any program from RAM since these are below the kernel in the hierarchy. And the kernel would not have to wipe things where the kernel knows that wiping these memory parts is not important because these are public anyhow, not private/secrets, or recoverable from the hard drive (assuming unencrypted /boot
).