0

I want to run some confidential program on a cloud server. In order to protect it from being copied, I can encrypt it into a drive and mount the decrypted drive to run it. However I want to umount the decrypted drive once it sets up running in memory to minimize the time window of the decryption.

Is it ever possible to do so? Or Linux locks this drive for the program is running from?

A similar situation is to run a program on a drive and then umount that drive.

George Y
  • 528
  • 6
  • 16
  • Surely this logic is flawed - If its in memory, just grab the data out if memory rather then disk. I put to you that this is the thrust of many of the newish style branch prediction type attacks - and that's where the attacker is not privileged or in control of the hypervisor. – davidgo Jun 14 '20 at 02:28

1 Answers1

1

No cleanly. You can, for example, remove a USB you are running software from. If the program does not need any resources from there, then nothing will happen but it will not exit cleanly.

$ sudo dd if=/dev/zero of=/tmp/disk bs=1M count=100
$ sudo mkfs -t ext4 /tmp/disk
$ sudo mount /tmp/disk /mnt
$ sudo cp -a /bin/bash /mnt/newbash
$ /mnt/newbash

If you go to another terminal and try to umount /mnt the system will tell you it is busy, and fuser -m /mnt will list newbash as the process using it, also lsof.

COMMAND PID USER  FD   TYPE DEVICE SIZE/OFF NODE NAME
newbash 903 root txt    REG    7,0  1168776   12 /mnt/newbash

Even though the filesystem is in use, you could do umount --lazy /mnt BUT that could have nasty consequences. You don't know if the whole executable is in memory and the system might need to fetch a part of it for example.

It would be asking for trouble. The option is there to avoid wait forever on resources you no longer have access to, for example at shutdown.

If all you want is to run it on memory, then you could create a ramdisk, copy it there and run it.

You could even setup something like encfs so that the folder in the ramdisk is encrypted.

Eduardo Trápani
  • 1,210
  • 8
  • 12
  • Thank you for your advice. Yes it is a simple binary executable and depends on no other resources. I got this inspiration from system setup disk - I can unplug the setup disk of a linux distro while it is in use and no problem would ever happen. Isn't the system upload every bit of the binary into its memory before execute it? – George Y Jun 14 '20 at 03:10
  • Yes, the system installer can be copied to memory so you can remove the disk, but that's because it basically copies the disk in a ramdisk, which is what the answer suggests. – Ginnungagap Jun 14 '20 at 05:39