Crash Dump Analysis and Debugging Forum
Exploring Crash Dumps and Debugging Techniques on Windows Platforms
Kernel dump analysis and user data
5 posts
• Page 1 of 1
Kernel dump analysis and user data
by dzdq1f » Fri Nov 17, 2006 5:47 pm
I'm hoping one of the experts reading this post can offer an opinion. I work in audit compliance for a large IT company. During a recent PCI (Payment Credit Card) audit, I was told that servers that perform credit card transactions must have the kernel memory dump turned off (it's turned on by default on our builds). The auditors are insisting that a kernel dump could contain credit card data if a transaction were occurring during a crash. If the dump file were sent off to the Microsoft vendor for analysis, credit card data could potentially be contained in the dump. I've searched technet (MS) and can't find anything that might answer this question. Thanks in advance for any opinions/suggestions you experts out there can give me.
- dzdq1f
- Posts: 1
- Joined: Fri Nov 17, 2006 2:01 pm
by VDO » Fri Nov 17, 2006 10:47 pm
It depends on credit card transactions software design and architecture and what type of dump is configured in Control Panel\System\Advanced\Startup and Recovery applet: Small, Kernel or Complete
Software usually encrypts data before sending it down TCP/IP stack or other network protocol. If your credit card transactions software doesn't have any kernel space encryption drivers and doesn't rely on any MS or other 3rd-party encryption API that might send data to kernel, communicate to KSECDD or to user-space component like LSASS via LPC/RPC you can safely assume that kernel memory dumps will not have unencrypted data. If encryption is done entirely in user space Small memory dump and Kernel memory dump will only have encrypted fragments. Otherwise there is a probability that BSOD happens just before encryption or after decryption or when secure protocol is being handled. This exposure can even happen in Small memory dumps if BSOD happens in the thread that handles sensitive information in kernel mode.
The same applies if your software stores credit data on any medium. If it stores only encrypted data and decrypts entirely in user space without any transition to kernel it should be safe to enable kernel memory dump.
If your goal is ultimate security then even Small memory dump (64Kb) should not be allowed. But in reality as we consider probabilities sending small memory dump is equivalent to no more than exposing just one credit card number or one password.
What you must avoid at any cost is to enable complete memory dump option in control panel. In this case all your credit card transactions software code and data including file system cache will be exposed.
Contrary to complete memory dump kernel memory dump will not have much data even if some potion of it is being communicated during crash time.
I would also be interested in hearing what other experts say. This is very interesting topic.
Software usually encrypts data before sending it down TCP/IP stack or other network protocol. If your credit card transactions software doesn't have any kernel space encryption drivers and doesn't rely on any MS or other 3rd-party encryption API that might send data to kernel, communicate to KSECDD or to user-space component like LSASS via LPC/RPC you can safely assume that kernel memory dumps will not have unencrypted data. If encryption is done entirely in user space Small memory dump and Kernel memory dump will only have encrypted fragments. Otherwise there is a probability that BSOD happens just before encryption or after decryption or when secure protocol is being handled. This exposure can even happen in Small memory dumps if BSOD happens in the thread that handles sensitive information in kernel mode.
The same applies if your software stores credit data on any medium. If it stores only encrypted data and decrypts entirely in user space without any transition to kernel it should be safe to enable kernel memory dump.
If your goal is ultimate security then even Small memory dump (64Kb) should not be allowed. But in reality as we consider probabilities sending small memory dump is equivalent to no more than exposing just one credit card number or one password.
What you must avoid at any cost is to enable complete memory dump option in control panel. In this case all your credit card transactions software code and data including file system cache will be exposed.
Contrary to complete memory dump kernel memory dump will not have much data even if some potion of it is being communicated during crash time.
I would also be interested in hearing what other experts say. This is very interesting topic.
- VDO
- Site Admin
- Posts: 552
- Joined: Mon May 01, 2006 10:34 am
- Location: Dublin, Ireland
by tobyeo » Mon Jan 15, 2007 1:54 am
One other mention is that even if the application is only sending the credit card numbers encrypted down the TCP stack they could still be in the memory dump and more than 1 could depending on if they are all stored in the same location.
This is because if the application for example is putting them in the same heap, lets say other data for example file data is also in this location. If the application then sends completely irrelevant data to a file driver and that file driver locks those user pages into memory and maps kernel pages then that page with the file data along with the possibly unencrypted credit card numbers could be in the dump. As a side note since the file system cache is so big usually any kernel memory corruption ends up trapping on a file system I/O which then makes the proability of having this information in the dump even higher. Again, this is even if the credit card number is being sent down the file stack encrypted, locking an entire page of the heap may contain other information such as 4k worth of credit card numbers unencrypted!
This is because if the application for example is putting them in the same heap, lets say other data for example file data is also in this location. If the application then sends completely irrelevant data to a file driver and that file driver locks those user pages into memory and maps kernel pages then that page with the file data along with the possibly unencrypted credit card numbers could be in the dump. As a side note since the file system cache is so big usually any kernel memory corruption ends up trapping on a file system I/O which then makes the proability of having this information in the dump even higher. Again, this is even if the credit card number is being sent down the file stack encrypted, locking an entire page of the heap may contain other information such as 4k worth of credit card numbers unencrypted!
- tobyeo
- Posts: 5
- Joined: Sat Jan 13, 2007 8:31 am
- Location: Oregon
by tobyeo » Mon Jan 15, 2007 6:55 am
Not to mention that if these are being stored in a file or database (files) unencrypted which means that the file system cache could also have the data in the dump. The best solution is not to have any dump and to just "reboot on crash".
- tobyeo
- Posts: 5
- Joined: Sat Jan 13, 2007 8:31 am
- Location: Oregon
5 posts
• Page 1 of 1
Return to Kernel and Complete memory dumps
Who is online
Users browsing this forum: No registered users and 1 guest