Download
This package attempts to reduce the likelihood of sensitive data being exposed when in memory. It aims to support all major operating systems and is written in pure Go. Sensitive data is encrypted and authenticated in memory with XSalsa20Poly1305. The scheme used also defends against cold-boot attacks. Memory allocation bypasses the language runtime by using system calls to query the kernel for resources directly. This avoids interference from the garbage collector. Buffers that store plaintext data are fortified with guard pages and canary values to detect spurious accesses and overflows. The effort is taken to prevent sensitive data from touching the disk. This includes locking memory to prevent swapping and handling core dumps. Kernel-level immutability is implemented so that attempted modification of protected regions results in an access violation.
Features
- Allocates memory in a secure manner to prevent memory leaks and other types of memory-related attacks
- Automatically wipes memory when it is no longer needed to prevent data leakage
- Provides various methods for securely storing and manipulating sensitive data, such as encryption and decryption of data
- Provides a zero-copy API for working with sensitive data
- Provides a way to lock and unlock memory to prevent unauthorized access
- Provides a way to lock and unlock the data segment to prevent data-only attacks
Project Samples
