MAP_CONCEAL is a
flag that can be passed to
mmap, or used via
calloc_conceal(3), to prevent memory to be dumped in coredumps.
It was added by Scott
Soule Cheloha, in February 2019, in OpenBSD 6.5.
MAP_NOCORE in February
Linux had a similar feature since 3.4 (released in 2012), via the
MADV_DONTDUMP flag, but also via a
less fine-grained path-based filter, in
/proc/$PID/coredump_filter, since 2.6.23 (released in 2007),
and even OpenSSL,
software, is using it.
It’s a good way to prevent sensitive materials from being written to the disk in case of a crash producing a coredump.
But Ted Unangst said on Hacker News in 2019:
So the name conceal was chosen to allow some flexibility, like prohibiting ptrace. The idea is to keep secrets from escaping into other programs. Other programs generally can’t read swap, so that’s not a concern.
Unfortunately, if you can have ptrace or an equivalent, you can use it to rewrite some code, or even mount data-only attacks pretty trivially to exfiltrate the data: It seems that there is a threat-model issue here.