Skip to main content

Crate sec_mem

Crate sec_mem 

Source
Expand description

§SecMem

A high-assurance, attack-resistant cryptographic memory allocator for Rust.

Designed to aggressively protect sensitive data (cryptographic keys, passwords, PII) from OS-level exploits, memory dumping, buffer overflows, and side-channel attacks.

§Feature Flags

FeatureDescriptionDefault
sec_memEnables SecMem, the OS-level memory hardening container. Requires libc and Linux.Yes
encryptionEnables ChaCha20/XOR-blinded encrypt-at-rest for SecMem. Stores the master key in memfd_secret.Yes
key_shieldingEnables OpenSSH-style 16 KiB pre-key blake3 derivation to heavily defend against side-channels.No

(Note: SecretBox is always available and fully no_std compatible, regardless of features).

§1. Hardware-Accelerated OS Hardening (SecMem)

Available with the sec_mem feature. Uses raw Linux syscalls to create hardware-isolated memory.

  • XOR-Blinded Encrypt-at-Rest: Memory is dynamically ChaCha20/XOR masked.
  • Optional Key Shielding: Defeats Spectre/Rowhammer using an optional 16 KiB XOR-split pre-key and dynamic blake3 derivation (key_shielding feature).
  • Intel MPK: Grants zero-syscall hardware isolation using pkey_mprotect and WRPKRU.
  • Memory Sealing: Uses mseal to permanently lock guard pages and permissions.
  • mlock & Anti-Tracing: Forces mlock, MADV_DONTDUMP, MADV_DONTFORK, and PR_SET_DUMPABLE(0).
use sec_mem::SecMem;

let mut secure_key = SecMem::new([0xAAu8; 32]);
secure_key.access_mut(|key| {
    key[0] = 0xBB;
}); // Hardware locks instantly engage on closure drop.

§2. Software-Enforced Memory Hardening (SecretBox)

A highly portable, stack-native, software-only wrapper requiring zero OS syscalls.

  • Dynamic Volatile Canaries: Generates randomized canaries at startup (libc::getrandom or RDRAND), verified via core::ptr::read_volatile.
  • Strict Exclusive Access: Enforces &mut self to mathematically eliminate concurrency race conditions.
  • Closure-Restricted Lifetimes: No expose_secret(). Uses strictly scoped injection closures (.with_secret()).
use sec_mem::SecretBox;
 
let mut portable_box = SecretBox::new(42u32);
portable_box.with_secret(|val| {
   assert_eq!(*val, 42);
}); // Stack canaries verified via volatile reads!

Re-exports§

pub use zeroize;

Structs§

SecMemUnix and sec_mem
A hardware-accelerated secure memory container for isolating sensitive data from the OS.
SecretBox
A pure-software, stack-native hardened wrapper for sensitive values (no_std compatible).

Traits§

SecretAccessUnix and sec_mem
Trait for types that can provide access to underlying data, whether protected or raw

Functions§

harden_processUnix and sec_mem
Hardens the entire process against memory dumping and tracing (Linux-only). This applies prctl(PR_SET_DUMPABLE, 0) to disable ptrace and core dumps globally.