OpenSec Atlas

Name: memguard
Author: awnumar

memguard: An Open Source Library/SDK for Data Security | OpenSec Atlas

Back to Browse

Data Security

Library/SDK

memguard

MemGuard is a Go library that provides a secure software enclave for storing sensitive data in memory, protecting it from exposure and memory-based attacks.

View on GitHub

About This Tool

Software sandbox for storage of sensitive information in memory.

Primary Use Case

MemGuard is designed for developers who need to securely handle sensitive information such as cryptographic keys, passwords, or secrets within their applications. It is particularly useful in scenarios where in-memory data protection against cold-boot attacks, memory dumps, and side-channel attacks is critical. Security-conscious software projects requiring robust secrets management and data encryption in memory will benefit from this tool.

Key Features

Encrypts and authenticates sensitive data in memory using XSalsa20Poly1305
Bypasses language runtime memory allocation using direct system calls to avoid garbage collector interference
Protects plaintext buffers with guard pages and canary values to detect memory overflows
Prevents sensitive data from being swapped to disk by locking memory and handling core dumps
Implements kernel-level immutability to cause access violations on unauthorized modifications
Provides session purging, safe termination, and signal handling to avoid data remnants
Mitigates side-channel attacks by performing constant-time data copying and comparison
Cross-platform support written entirely in Go

Insights & Recommendations

The API is experimental and may undergo unstable changes, so it is recommended to pin versions when using MemGuard. Users should be aware that some features rely on OS-specific kernel protections and direct system calls, which may require appropriate permissions or platform support. Care should be taken to handle signals and session termination properly to avoid leaving sensitive data in memory.

Installation

Run `go get github.com/awnumar/memguard` to install the package
Pin a specific version to avoid unstable API changes as the API is experimental

Usage

go get github.com/awnumar/memguard

Installs the MemGuard package for use in Go projects

Smart Usage Notes

Integrate MemGuard into CI/CD pipelines to enforce secure in-memory secrets handling during development and testing.Use MemGuard to harden custom credential storage in applications, reducing risk from memory scraping and cold-boot attacks.Combine MemGuard with runtime application self-protection (RASP) tools to enhance defense against memory-based exploitation.Leverage MemGuard's constant-time operations to mitigate side-channel attacks in cryptographic implementations.Employ MemGuard in purple team exercises to simulate and defend against memory-based credential theft and evasion techniques.