Wipe out ring data and stream cache when terminal closes
We now store the scrollback data encrypted. Moreover, in VTE's destructor the stream's encryption key is explicit_bzero()
'd out. So I believe there's no way to reconstruct the contents even if the attacker can suddenly take a snapshot of the entire disk and system memory, and even if gnome-terminal-server still lives on with other terminals open.
We're not this careful elsewhere, though. And while it's impossible to come up with a solution that's provable to be unbreakable, I think we could improve the situation and make it harder for an attacker to reconstruct what happened in a closed terminal. In particular:
-
The stream read/write caches aren't explicitly zeroed out, they could easily be. (Wait a sec... if an attacker locates an unencrypted cached block in memory and its corresponding encrypted block on disk, does it allow them to reconstruct the encryption key and thus decrypt more blocks? I don't know.)
-
The ring isn't zeroed out. It looks easy, but in addition to actually zeroing out, care has to be taken so that whenever it grows (either the entire ring (number of lines), or the length of an individual row within), realloc (if necessary) happens in a way that the old location is zeroed out. Which might mean we can no longer use some convenient glib methods. IIRC we realloc manually anyways for the entire ring, so probably only rowdata is affected, and would be a bit more inconvenient to handle.
-
Input queue / iconv / parser – does it have some larger per-terminal buffer?
-
Cairo canvas – do we have a per-terminal canvas where we paint?
-
Anything else along these lines?
We can't guarantee that no one would ever be able to reconstruct pieces of data from remains on the stack and elsewhere, that would require to build up everything from scratch with this requirement in mind. But I believe that some of these low hanging fruits can significantly improve the situation and make it harder to reconstruct for example a used-to-be-visible password.
(Does this make sense? Or if not then what's the point in bzeroing out the encryption key? :))