Can swapping be disabled on the application level?

I’m currently using thunderbird with gnupg to read encrypted emails.
If I understand the swapping behavior correctly, the memory pages containing the decrypted emails might be swapped out and leave traces on the hard disk which may in theory later be recovered forensically.

While it is certainly possible to just use an encrypted swapfile or disable swapping globally for the duration of using sensitive files, it impacts performance, might be forgotten and requires root privileges.

Is it possible to mark certain files or programs as not to be swapped? Even without root access? Could one write an application which can be distributed to technically naive users and whose memory contents are never swapped to disk?

Asked By: user54114

||

Applications can lock their memory so it cannot be swapped.

mlock, munlock, mlockall, munlockall - lock and unlock memory

I don’t know of a way to influence this from the outside, though. The application would have to be written to use this by itself. With mails it’s probably particularly difficult since it usually also involves external programs for viewing attachments and such.

Also, even with memlock there is a chance of it ending up on your swap partition – when you use suspend to disk which writes all memory to disk, regardless of any non-swap preferences.

It’s easier to just go full disk encryption in the first place.

Answered By: frostschutz

In the comments, I suggested you create a cgroup, set memory.swappiness to zero (to minimize swapping) and run your application inside of that. If you did that, your application probably wouldn’t swap unless you were running so incredibly low on physical memory that swapping pages for programs in that cgroup was the only way to make enough physical memory available.

To do this on RHEL 6.5:

  • Ensure the libcgroup package is installed. This gives you access to userspace tools like cgcreate and cgexec.

  • Start and enable the cgconfig service so that changes to cgroup configuration are persistent between reboots. On RHEL this service should also mount the required filesystems underneath the /cgroup tree.

  • Create the cgroup with cgcreate -g memory:thunderbird

  • Set swappiness to zero in this group with cgset -r memory.swappiness=0 thunderbird

  • Use cgsnapshot -s > /etc/cgconfig.conf to save an updated persistent configuration for the cgconfig service (all changes up until now have been runtime changes. You’ll probably want to save the default config file somewhere and give it a once-over before making it the persistent configuration.

  • You can now use cgexec to start desired applications within the thunderbird cgroup:

    [root@xxx601 ~]# cgexec -g memory:thunderbird ls

    anaconda-ks.cfg a.out foreman.log index.html install.log install.log.syslog node.pp sleep sleep.c ssl-build stack test

    [root@xxx601 ~]#

I don’t have thunderbird actually installed otherwise I would have done that. Not sure why the formatting of the above is messed up.

  • One alternative to cgexec would be to start thunderbird and add the PID to the tasks file for the application. For example:

    [root@xxx601 ~]# cat /cgroup/memory/thunderbird/tasks

    [root@xxx601 ~]# pidof httpd

    25926 10227 10226 10225 10163 10162 10161 10160 10159 10157 10156 10155 10152 10109

    [root@xxx601 ~]# echo 25926 > /cgroup/memory/thunderbird/tasks

    [root@xxx601 ~]# cat /cgroup/memory/thunderbird/tasks

    25926

Again, it’s bears mentioning that this doesn’t technically prevent swapping but short of modifying the application itself, it’s probably your best bet. I’ve just now found memory.memsw.limit_in_bytes which seems like it might be a more direct control on forcing there to be no swapping but I haven’t played around with it enough to really feel comfortable saying that it fixes your problem completely. That said, it might be something to look into after this.


The real answer would be to have the application mlock sensitive information to get around this sort of concern. I’m willing to bet an application like Thunderbird, though, does do that but I don’t know enough about the internals to comment on that.

Answered By: Bratchley

Yes, an application can prevent some of its memory from being swapped out, with the mlock system call. However, this is not really useful in your case.

Confidential data isn’t just in application memory. It ends up in temporary files in various places (/tmp, /var/spool, etc.). Thunderbird itself is displaying the decrypted email, so you’d have to lock it to RAM too.

If you want to ensure that your disk won’t contain traces of confidential files, you need to encrypt your swap as well as all the potential locations of temporary files (in particular, /tmp if it isn’t tmpfs, and most of /var, in addition to your home directory of course).

The impact of encrypted swap on performance is small to nil. Encryption is a lot faster than disk I/O.

I’m just thinking if it would be better to start with changing the priority of the application process on e.g. with a start-up script starting it with a high priority using nice and renice and with the I/O priority change that with ionice and then see what happens.

You can ‘nice’ the application to the highest priority level e.g. -20 that way you still leave the OS to do what it does best by making the decision on when to swap application processes.

But has suggested by others if you want more control and granularity you need to start looking at cgroups and setting memory.swappiness

Answered By: tdr
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.