1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
Source: golang-github-awnumar-memguard
Section: golang
Priority: optional
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Uploaders:
Simon Josefsson <simon@josefsson.org>,
Rules-Requires-Root: no
Build-Depends:
debhelper-compat (= 13),
dh-sequence-golang,
golang-any,
golang-github-awnumar-memcall-dev,
golang-golang-x-crypto-dev,
golang-golang-x-sys-dev,
Testsuite: autopkgtest-pkg-go
Standards-Version: 4.7.2
Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-awnumar-memguard
Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-awnumar-memguard.git
Homepage: https://github.com/awnumar/memguard
XS-Go-Import-Path: github.com/awnumar/memguard
Package: golang-github-awnumar-memguard-dev
Architecture: all
Multi-Arch: foreign
Depends:
golang-github-awnumar-memcall-dev,
golang-golang-x-crypto-dev,
golang-golang-x-sys-dev,
${misc:Depends},
Description: secure enclave for storage of sensitive information (library)
This package attempts to reduce the likelihood of sensitive data being
exposed when in memory. It aims to support all major operating systems
and is written in pure Go.
.
Features
.
* Sensitive data is encrypted and authenticated in memory with
XSalsa20Poly1305. The scheme (https://spacetime.dev/encrypting-secrets-in-
memory) used also defends against cold-boot attacks
(https://spacetime.dev/memory-retention-attacks).
* Memory allocation bypasses the language runtime by using system calls
(https://github.com/awnumar/memcall) to query the kernel for resources
directly. This avoids interference from the garbage-collector.
* Buffers that store plaintext data are fortified with guard pages and
canary values to detect spurious accesses and overflows.
* Effort is taken to prevent sensitive data from touching the disk.
This includes locking memory to prevent swapping and handling core
dumps.
* Kernel-level immutability is implemented so that attempted
modification of protected regions results in an access violation.
* Multiple endpoints provide session purging and safe termination
capabilities as well as signal handling to prevent remnant data being
left behind.
* Side-channel attacks are mitigated against by making sure that the
copying and comparison of data is done in constant-time.
.
This package contains the Go development library.
|
