Can swapping be disabled on the application level?

Question

I'm currently using thunderbird with gnupg to read encrypted emails. If I understand the swapping behavior correctly, the memory pages containing the decrypted emails might be swapped out and leave traces on the hard disk which may in theory later be recovered forensically.

While it is certainly possible to just use an encrypted swapfile or disable swapping globally for the duration of using sensitive files, it impacts performance, might be forgotten and requires root privileges.

Is it possible to mark certain files or programs as not to be swapped? Even without root access? Could one write an application which can be distributed to technically naive users and whose memory contents are never swapped to disk?

Related essentially you would create a cgroup, tune swappiness so that it would never swap out, and cgexec thunderbird into it. You still need root access, but that's the admin-level resolution. If you're developing your own application you would use mlock. — Bratchley, Feb 13 '15 at 14:06
Thanks! I didn't know about cgroups yet, they sound interesting. — user54114, Feb 13 '15 at 14:20
@SteveWills It does. Not sure about thunderbird though, which is displaying the decrypted result. — user54114, Feb 13 '15 at 14:22
@Bratchley, can you put it in an answer? I didn't know you could set swappiness for cgroups, it sounds intriguing. — frostschutz, Feb 13 '15 at 16:48
@frostschutz posted an answer. memory.swappiness=0 may not be a perfect solution but it may resolve the issue at a practical level. — Bratchley, Feb 13 '15 at 18:55

Bratchley · Accepted Answer · 2015-02-14T18:28:35.420

In the comments, I suggested you create a cgroup, set memory.swappiness to zero (to minimize swapping) and run your application inside of that. If you did that, your application probably wouldn't swap unless you were running so incredibly low on physical memory that swapping pages for programs in that cgroup was the only way to make enough physical memory available.

To do this on RHEL 6.5:

Ensure the libcgroup package is installed. This gives you access to userspace tools like cgcreate and cgexec.
Start and enable the cgconfig service so that changes to cgroup configuration are persistent between reboots. On RHEL this service should also mount the required filesystems underneath the /cgroup tree.
Create the cgroup with cgcreate -g memory:thunderbird
Set swappiness to zero in this group with cgset -r memory.swappiness=0 thunderbird
Use cgsnapshot -s > /etc/cgconfig.conf to save an updated persistent configuration for the cgconfig service (all changes up until now have been runtime changes. You'll probably want to save the default config file somewhere and give it a once-over before making it the persistent configuration.
You can now use cgexec to start desired applications within the thunderbird cgroup:

[root@xxx601 ~]# cgexec -g memory:thunderbird ls

anaconda-ks.cfg a.out foreman.log index.html install.log install.log.syslog node.pp sleep sleep.c ssl-build stack test

[root@xxx601 ~]#

I don't have thunderbird actually installed otherwise I would have done that. Not sure why the formatting of the above is messed up.

One alternative to cgexec would be to start thunderbird and add the PID to the tasks file for the application. For example:

[root@xxx601 ~]# cat /cgroup/memory/thunderbird/tasks

[root@xxx601 ~]# pidof httpd

25926 10227 10226 10225 10163 10162 10161 10160 10159 10157 10156 10155 10152 10109

[root@xxx601 ~]# echo 25926 > /cgroup/memory/thunderbird/tasks

[root@xxx601 ~]# cat /cgroup/memory/thunderbird/tasks

25926

Again, it's bears mentioning that this doesn't technically prevent swapping but short of modifying the application itself, it's probably your best bet. I've just now found memory.memsw.limit_in_bytes which seems like it might be a more direct control on forcing there to be no swapping but I haven't played around with it enough to really feel comfortable saying that it fixes your problem completely. That said, it might be something to look into after this.

The real answer would be to have the application mlock sensitive information to get around this sort of concern. I'm willing to bet an application like Thunderbird, though, does do that but I don't know enough about the internals to comment on that.

To handle all of the other fs's that @Gilles mentions you'd want a chroot in an unshared --mount namespace, as well, I think. Do that and I'm willing to bet the end performance effect would be better than an encrypted swap. — mikeserv, Feb 14 '15 at 18:43
Yeah no doubt that an admin can only do so much, ultimately the application needs to take these sorts of things into consideration since there are so many and admin-level controls can get pretty elaborate. — Bratchley, Feb 14 '15 at 18:47
Could a coredump still be inspected to reveal what goes on for an arbitrary process even if the memory.swappiness=0 do you think? I wouldn't know - but I'm curious. — mikeserv, Feb 14 '15 at 18:53
Yes but that's true of almost anything, including applications with mlock but don't MADV_DONTDUMP. Most of the time, though, people that are worried about swapping sensitive information are worried about laptops being stolen and the swap area being combed over. At the point they're initiating core dumps the system has already been completely compromised. — Bratchley, Feb 14 '15 at 19:00

score 5 · Answer 2 · answered Feb 13 '15 at 14:10

Applications can lock their memory so it cannot be swapped.

mlock, munlock, mlockall, munlockall - lock and unlock memory

I don't know of a way to influence this from the outside, though. The application would have to be written to use this by itself. With mails it's probably particularly difficult since it usually also involves external programs for viewing attachments and such.

Also, even with memlock there is a chance of it ending up on your swap partition - when you use suspend to disk which writes all memory to disk, regardless of any non-swap preferences.

It's easier to just go full disk encryption in the first place.

score 5 · Answer 3 · answered Feb 14 '15 at 00:21

Yes, an application can prevent some of its memory from being swapped out, with the mlock system call. However, this is not really useful in your case.

Confidential data isn't just in application memory. It ends up in temporary files in various places (/tmp, /var/spool, etc.). Thunderbird itself is displaying the decrypted email, so you'd have to lock it to RAM too.

If you want to ensure that your disk won't contain traces of confidential files, you need to encrypt your swap as well as all the potential locations of temporary files (in particular, /tmp if it isn't tmpfs, and most of /var, in addition to your home directory of course).

The impact of encrypted swap on performance is small to nil. Encryption is a lot faster than disk I/O.

Seems a chroot and a namespace container with swapoff would be a better alternative to encrypted swap. Very good answer - no other answer mentioned other filesystem effects. Myself, I just don't have a swap - I don't own any computer with less than 4GBs of RAM, and I can't see any benefit to using it. Its use is only practical for any of those machines where suspend is concerned - and that is easily scripted. — mikeserv, Feb 14 '15 at 18:50

score 0 · Answer 4 · answered Feb 14 '15 at 11:23

I'm just thinking if it would be better to start with changing the priority of the application process on e.g. with a start-up script starting it with a high priority using nice and renice and with the I/O priority change that with ionice and then see what happens.

You can 'nice' the application to the highest priority level e.g. -20 that way you still leave the OS to do what it does best by making the decision on when to swap application processes.

But has suggested by others if you want more control and granularity you need to start looking at cgroups and setting memory.swappiness

Can swapping be disabled on the application level?

4 Answers4

Linked