Object Reuse is the mechanism that protects against scavenging, or being able to read information that is left over from a previous subject's actions. The following general techniques are applied to meet this requirement in the AIX distributed system:
● explicit initialization of resources on initial allocation or creation
● explicit clearing of resources on release or deallocation
● management of storage for resources that grow dynamically
● administrator-initiated wiping of hard disk drives
Explicit initialization is appropriate for most TSF-managed abstractions, where the resource is implemented by some TSF internal data structure whose contents are not visible outside the TSF:
queues, datagrams, pipes, and devices. These resources are completely initialized when created, and have no information contents remaining.
Explicit clearing is used in AIX only for directory entries, because they are accessible in two ways:
through TSF interfaces both for managing directories and for reading files. Because this exposes the internal structure of the resource, it must be explicitly cleared on release to prevent the internal state from remaining visible.
Storage management is used in conjunction with explicit initialization for object reuse on files, and processes. This technique keeps track of how storage is used, and whether it can safely be made available to a subject.
Hard disk wiping provides means to an administrator to overwrite information on hard disks with bit patterns in order to render previously stored information on the disks unrecoverable. Rather than being a system property, this is a function that can be invoked by the administrator.
The following sections describe in detail how object reuse is handled for the different types of objects and data areas.
7.2.2.12.1 Object reuse: File system objects (OR.1)
All file system objects (FSOs) available to general users are accessed by a common mechanism for allocating disk storage and a common mechanism for paging data to and from disk. This includes the Journaled File System (JFS2) and Network File System (which exists physically as a JFS2 volume on a server host). This includes both normal and large JFS2 file systems.
Object reuse is irrelevant for the CD-ROM File System (CDRFS) and the Universal Data Standard File System (UDFS) because they are read-only file systems, making it impossible for a user to read residual data left by a previous user. File systems on other media (tapes, diskettes) are irrelevant because of warnings in [SecGuide] not to mount file systems on these devices.
For this analysis, the term FSO refers not only to named file system objects (files, directories, device special files, named pipes, and UNIX domain sockets) but also to unnamed abstractions that use file system storage (symbolic links and unnamed pipes). All of these, except unnamed pipes, device special files, and UNIX domain sockets, have a directory entry that contains the pathname and an inode that controls access rights and points to the disk blocks used by the FSO.
In general, file system objects are created with no contents, directories and symbolic links are exceptions, and their contents are fully specified at creation time.
This section and its subsections map to the following SFR(s):
● FDP_RIP.2
● FDP_RIP.3
7.2.2.12.1.1 Object reuse: Files
Storage for files is allocated automatically in pages as a file grows. These pages are cleared before they become accessible, within the file. However, when a file is deleted the space holding the data from the file, both in memory and on disk, is not cleared. This data will persist until the space is assigned to another file, when it will be cleared. These internal fragments of deleted files are protected by the kernel to prevent accessing of deleted data.
If data is read before it is written, it will read only as zeroes. Reads terminate when the end-of-file (EOF) is detected. It is possible to seek past the EOF, but any reads will return zeroes. File writes may cause the file to grow, thus overwriting any residual data and moving the EOF. If the file pointer is advanced past the EOF and then written, this leaves a hole in the file that will subsequently be read as zeroes.
7.2.2.12.1.2 Object reuse: Directories and directory entries
In part, object reuse for directories is handled as for ordinary files: pages allocated are always cleared before being incorporated into the directory. When a directory is first created, it is explicitly initialized to have the entries “.” and “..”, but the remainder of the directory's storage is cleared.
Individual directory entries are manipulated as distinct resources, such as when referencing file system objects, and as part of the directory, such as when reading the entire directory itself. When a directory entry is removed or renamed the space occupied by that directory entry is either combined with the previous entry as free space or else the inode number of the entry is set to zero when the entry occurs on a 512 byte boundary.
When a directory entry does not occur on a 512-byte boundary, the size of the preceding directory entry is incremented by the size of the directory entry which has been removed. The space in a directory entry in excess of that which is needed to store the necessary information may be allocated when a directory entry is to be created. The fields of the directory entry remain unchanged.
When a directory entry occurs on a 512-byte boundary, the inode number is set to zero to indicate that this entry is now available for re-use. All other fields of the directory entry remain unchanged.
The directory entry is no longer visible to interfaces which perform file name operations and may only be seen when the entire directory is examined and the process has read access to the directory.
7.2.2.12.1.3 Object reuse: Symbolic links
Symbolic links have their contents (the link pathname) fully specified at creation time, and the readlink operation returns only the string specified at creation time, not the entire contents of the block it occupies.
7.2.2.12.1.4 Object reuse: Device special files
All device special files are initialized to a known state on first open and never grow. Device special files refer to actual hardware or else to virtualized objects. There are no file system blocks, unless the device references a file system (in which case the mechanism for object reuse of file system objects apply). Nor is there memory, unless the device is associated with memory (in which case the object reuse mechanisms for memory objects apply).
7.2.2.12.1.5 Object reuse: Named pipes (FIFOs)
FIFOs (First In First Out) are created empty. Buffers are allocated to contain data written to a pipe, but the read and write pointers are managed to ensure that only data that was written to the pipe can ever be read from it.
7.2.2.12.1.6 Object reuse: Unnamed pipes
Unnamed pipes are created empty. Buffers are allocated to contain data written to a pipe, but the read and write pointers are managed to ensure that only data that was written to the pipe can ever be read from it.
7.2.2.12.1.7 Object reuse: Socket special file (UNIX domain)
UNIX domain sockets have no contents; they are fully initialized at creation time.
7.2.2.12.2 Object reuse: IPC objects (OR.2)
AIX shared memory, message queues, and semaphores are initialized to all zeroes at creation.
These objects are of a finite size (shared memory segment is from one byte to 256 MBytes, semaphore is one bit), and so there is no way to grow the object beyond its initial size.
No processing is performed when the objects are accessed or when the objects are released back to the pool.
This section maps to the following SFR(s):
● FDP_RIP.2
● FDP_RIP.3
7.2.2.12.3 Object reuse: Queuing system objects (OR.3) 7.2.2.12.3.1 Object reuse: Batch queue entries
The cron daemon and atdaemon jobs are defined in batch files, which are subject to the object reuse protections specified for files as described previously.
This section maps to the following SFR(s):
● FDP_RIP.2
● FDP_RIP.3
7.2.2.12.4 Object reuse: Miscellaneous objects (OR.4) 7.2.2.12.4.1 Object reuse: Process
A new process's context is completely initialized from the process's parent when the fork system call is issued. All program visible aspects of the process context are fully initialized. All kernel data structures associated with the new process are copied from the parent process, then modified to describe the new process, and are fully initialized.
The AIX kernel zeroes each memory page before allocating it to a process. This pertains to memory in the program's data segment and memory in shared memory segments. When a process requests more memory, the memory is explicitly cleared before the process can gain access to it.