Core Dumps

From Whonix



All OS platforms have a "core dump" functionality which poses potential security and privacy risks. According to Wikipedia: [1]

In computing, a core dump (in Unix parlance), memory dump, or system dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

The primary function of core dumps is to provide the user or programmer with specialized information to determine the root cause of a system crash, in order to perform debugging. These files are viewable as text or image formats, and can be analyzed with special tools. In Windows, both kernel-mode dumps and user-mode dumps are available. The former contains information on either the full memory or large sections of it, while the latter is limited to single processes. [1]

Security and Privacy Risks[edit]

Ambox warning pn.svg.png Most of today’s operating systems, libraries, languages, and so on leave sensitive data they handle -- passwords, financial and other information -- scattered throughout memory, and it often leaks to disk. Information may be left there for an indeterminate period and this increases the risk of a system compromise. [2]

Core dumps can potentially contain sensitive information like: [3] [2] [4]

  • Any activities undertaken in a session.
  • All existing contents in RAM at the time of a crash:
    • Disk encryption keys and passwords.
    • Details of open documents.
    • Other passwords.
    • Detailed system information that can assist targeted attacks.

Clearly, how long copies of data survive and where they end up are critical factors. There is no guarantee that RAM is wiped or overwritten during this process. This is not just a theoretical concern, as exploits in the wild have been observed which force privileged applications to perform core dumps, disclosing the contents of shadow password files and other information in the process. [2]

While this information is stored locally on GNU/Linux distributions, this is not the case on proprietary platforms. Windows and macOS generally ship this memory information to the OS vendor. [2] [5] [6] [7] [8]

Disabling Core Dumps[edit]

For greater security, advanced users should consider configuring the OS to disable core dumps. If possible, preventing access to process memory is also advisable, along with secure storage of the file system. [9] [10] GNU/Linux users can further research the disabling of core dump features here [archive] and here [archive]. Debian users should refer to the manpages concerning core dump storage configuration files [archive]. In general, Linux normally requires: [11]

  • Setting a ulimit value via a configuration file; or
  • Configuring ulimit via a profile (custom) file; or
  • Setting nil storage in the systemd coredump configuration file.

It is also recommended to disable setuid processes from dumping their memory [archive], since processes with elevated permissions might otherwise still perform core dumps. [12] For greater safety, test the configuration [archive] works correctly.


text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

There are five different options [archive] for subscribing to Whonix source code changes.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.