Skip to main content

Coredumps and Sensitive Data

Managing Sensitive Data in Coredumps

System Design Considerations for Sensitive Data

Use a Secure Element

For devices involved in the prolonged storage of sensitive customer information, the inclusion of a secure element in your design is recommended. This additional layer of security ensures that information is never stored in plain text, alleviating the responsibility of independently securing the data.

Encrypt Sensitive Data at Rest and In Transit

It is strongly recommended to encrypt all sensitive data at rest and in transit. This proactive measure ensures that any captured memory does not reveal information about end users. This is particularly crucial for devices serving as conduits for sensitive information without conducting local data processing, such as health monitoring devices or access control systems.

Never Log Sensitive Data

It's important to remember to not log sensitive data, as this data might end being inadvertently dumped out over a UART or USB exposing access to the outside world

Avoid Storing Sensitive Data on Stack

When sensitive data is being accessed, you want to minimize the number of places it is copied around in the code. To achieve this, Memfault recommends copying the data into static buffers specifically allocated to hold the data and passing by reference. This avoids creating unexpected copies of the sensitive data in the code that could leak or be snarfed by classic programming exploits. Example pseudocode:

 #include "memfault/components.h"

// put sensitive data in special section
__attribute__((section("sensitive_data_buffer)))
static char s_plaintext_ssn[9];

void process_ssn(void) {
decrypt_and_load_ssn(&s_plaintext_ssn);

// do some operation on ssn
// ...

// zero out decrypted data
memset(&s_plaintext_ssn, 0, sizeof(s_plaintext_ssn));
}

Excluding Sensitive Data from Coredumps

Placing Sensitive Data in a Separate Section

If you have sensitive data that you do not want to be included in a coredump, you can place it in a separate section and exclude that section from the captured region list.

For example, if you have a structure that contains sensitive data, you can place it in a .sensitive section:

// --- sensitive_data.h ---
struct SensitiveData {
int secret;
int secret2;
};
extern struct SensitiveData g_sensitive_data;

// --- sensitive_data.c ---
#include "sensitive_data.h"
MEMFAULT_PUT_IN_SECTION(".sensitive")
struct SensitiveData g_sensitive_data = {
.secret = 42,
.secret2 = 43,
};
// --- linker-script.ld ---
SECTIONS {
[...]
.sensitive :
{
*(.sensitive*)
} >RAM
[...]
}

Then, in your memfault_platform_coredump_get_regions() be sure to exclude the .sensitive section.

Wiping Sensitive Data Before Collection

Another strategy that can be easier to implement is to wipe sensitive data prior to coredump collection. This is done by implementing the memfault_platform_coredump_save_begin() platform hook:

memfault/panics/platform/coredump.h
loading...

An example implementation of this hook is shown below:

#include "memfault/components.h"

static void prv_wipe_sensitive_data(void) {
// wipe sensitive data
memset(&g_sensitive_data, 0, sizeof(g_sensitive_data));
}

bool memfault_platform_coredump_save_begin(void) {
prv_wipe_sensitive_data();
return true;
}