secbits 0.1.1

A library for secure memory handling featuring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

# SecBits

A Rust library for secure memory handling featuring:  
- ๐Ÿ”’ Memory locking (mlock/madvise)  
- ๐Ÿ›ก๏ธ Configurable protection modes (RW/RO/NOACCESS)  
- ๐Ÿงผ Secure zeroing with platform-specific intrinsics  
- ๐Ÿ—‘๏ธ Automatic memory wiping on drop  
- ๐Ÿ“ Page-aligned allocations  

**Use Case**: Sensitive data handling (cryptographic keys, passwords, PII)

## Quick Start

```rust
use secbits::SecBytes;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create secure storage
    let mut secret = SecBytes::new("my_secret".as_bytes().to_vec())?;

    // Store sensitive data (source gets zeroed)
    secret.append(b"extra data".to_vec())?;

    // Read access
    {
        let view = secret.read()?;
        assert_eq!(view.as_slice(), b"my_secretextra data");
    } // drop view

    // Write access (exclusive)
    {
        let mut edit = secret.write()?;
        edit.as_slice()[..3].copy_from_slice(b"NEW");
    } // drop edit

    assert_eq!(secret.read()?.as_slice(), b"NEWsecretextra data");

    Ok(())
} // Memory automatically unlocked and zeroed here
```

## Major Components

### 1. SecMem Core

```rust
struct SecMem {
    ptr: NonNull<u8>,
    cap: usize,      
    layout: Layout,  
}
```

Key Features:

- ๐Ÿ“ Page-Aligned Allocations: Always uses system page size multiples
- ๐Ÿ” Memory Locking:
    - `mlock()` prevents swapping to disk
    - `madvise(MADV_DONTDUMP)` excludes from core dumps
- ๐Ÿ›ก๏ธ Protection Modes:
    - `ProtectionMode::None` - No access (default)
    - `ProtectionMode::Read` - Read-only
    - `ProtectionMode::ReadWrite` - Read-write
- โ˜ ๏ธ Secure Drop:
    - Set memory to RW mode
    - Zero using platform-secure methods
    - Unlock and deallocate


### 2. SecBytes Buffer

```rust
struct SecBytes {
    mem: SecMem,         
    len: usize,          
    reader_count: AtomicUsize,
}
```

Key Features:

- ๐Ÿ“ˆ Dynamic Resizing: Maintains 2x growth factor
- ๐Ÿ‘€ Access Views:
    - `SecReadBytes`: Shared read access (RO mode)
    - `SecWriteBytes`: Exclusive write access (RW mode)
- ๐Ÿงต Concurrency Safety:
    - Multiple readers allowed
    - Writers get exclusive access via &mut


## Key Tricks

### 1. Safe Memory Management

```rust
// Always use RAII guards
{
    let view = secret.read()?;  // Auto sets RO
    // use view...
} // Auto resets to NOACCESS
```

### 2. Secure Data Handling

```rust
// Source data gets zeroed automatically
secret.append(&mut sensitive_data)?;
```

## ๐Ÿ”’ Security Considerations

Guarantees

- ๐Ÿ›ก๏ธ Memory never swapped to disk (mlock)
- ๐Ÿšซ Sensitive data excluded from core dumps
- ๐Ÿ•ต๏ธโ™‚๏ธ Defeats heap inspection attacks
- ๐Ÿง  Prevents compiler optimizations from skipping zeroing

Limitations

-  โš ๏ธ Requires CAP_IPC_LOCK on Linux (or root)
-  ๐Ÿ’พ Physical memory still potentially recoverable
-  ๐Ÿ”Œ Doesn't protect against hardware attacks