内存是否加密? [英] Is memory encrypted?

问题描述

我想在变量中存储一些数据(我知道变量存储在内存中).内存中的数据是否被加密?另外，软件是否有可能能够读取存储在内存中的变量名并能够从中实际提取数据?

I want to store some data in a variable (and I know variables are stored in memory). Does that data in memory get encrypted? Also, is it possible for software to be able to read the variable names stored in memory and be able to actually extract the data from it?

推荐答案

在我所知道的任何平台上，未对内存进行加密.无论如何，它的价值都是有限的，因为处理器通常必须对纯文本数据进行操作，因此数据必须在计算机 somewhere 上以纯文本格式存在.

Memory is not encrypted on any platform I know about. It would be of limited value anyway, because the processor must, in general, operate on plaintext data, so the data must be in plaintext on the machine somewhere.

相反，现代操作系统(以及大多数历史悠久的操作系统)使用内存保护仅允许某些进程访问某些内存.页面.每个内存 page 都具有读取，写入和(有时)执行权限.操作系统内核负责处理上下文切换上的那些权限，以按以下方式授予或拒绝对每个进程的内存页的访问:需要.

Instead, modern operating systems (and most historical ones) use memory protection to allow only certain processes access to certain memory pages. Every memory page comes with read, write, and (sometimes) execute permissions. The operating system kernel is in charge of handling those permissions on context switch to grant or deny access to memory pages per-process as needed.

Saltzer和Schroeder于1975年发表的论文计算机系统中的信息保护 使用 segments (而不是页面)描述一种机制，但是该原则数十年来一直未变.

Saltzer and Schroeder's 1975 paper The Protection of Information in Computer Systems describe a mechanism using segments, rather than pages, but the principle has remained unchanged for decades.

通常，具有足够高特权的进程可以读取任何进程拥有的内存页面；OS内核当然可以修改任何内存页面，它也可以选择将该特权委派给用户进程.Linux上的 ptrace(2)系统调用提供了一个调试器后门，可用于实现只读内存检查系统，例如 strace(1)或ltrace(1)或 gdb(1)，或内存修改系统，例如 gdb(1)和

Typically, any process-owned memory page is readable by a process with high-enough privilege; the OS kernel certainly can modify any page of memory, and it can choose to delegate that privilege to user processes too. The ptrace(2) system call on Linux provides a debugger-backdoor that can be used to implement read-only memory inspection systems such as strace(1) or ltrace(1) or gdb(1), or memory-modification systems such as gdb(1) and ptrace-based sandbox environments.

或者，在某些情况下，可以转储核心文件(请参见 core(5)和 setrlimit(2)联机帮助页)，包含进程内存的内容.这就是为什么在发布之前清除重要数据的存储的重要性的原因之一.

Or, a core file can be dumped, under certain situations (see core(5) and setrlimit(2) manpages), containing the contents of the process's memory. This is one reason why it is important to clear memory of important data before release.

我曾是非PTO链接)在正在运行的程序中.开销是惊人的，角落案件的数量甚至更令人惊讶.尽管我可以想象在受限的环境中使用加密的内存或控制结构是可行的方法，但将这些技术用于通用程序可能并不实际.(尽管可能其他方法更合适.)

I was part of a team that worked on encrypting pointers (non-PTO link) in running programs. The overhead was amazing, and the number of corner cases was even more astonishing. Using these techniques for common programs is probably not practical, though I could imagine a restricted environment where encrypted memory or control structures is a feasible approach. (Though probably other techniques would be more appropriate.)

这篇关于内存是否加密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！