MAP_CONCEAL

MAP_CONCEAL is a flag that can be passed to mmap, or used via malloc_conceal(3) and calloc_conceal(3), to prevent memory to be dumped in coredumps. It was added by Scott Soule Cheloha, in February 2019, in OpenBSD 6.5.

FreeBSD implemented MAP_NOCORE in February 2000.

Linux had a similar feature since 3.4 (released in 2012), via the MADV_DONTDUMP flag, but also via a less fine-grained path-based filter, in /proc/$PID/coredump_filter, since 2.6.23 (released in 2007), and even OpenSSL, amongst others software, is using it.

It’s a good way to prevent sensitive materials from being written to the disk in case of a crash producing a coredump.

But Ted Unangst said on Hacker News in 2019:

So the name conceal was chosen to allow some flexibility, like prohibiting ptrace. The idea is to keep secrets from escaping into other programs. Other programs generally can’t read swap, so that’s not a concern.

Unfortunately, if you can have ptrace or an equivalent, you can use it to rewrite some code, or even mount data-only attacks pretty trivially to exfiltrate the data: It seems that there is a threat-model issue here.