How to disable virtual memory / swap files

Aug 12, '04 09:30:00AM

Contributed by: hard-mac

Mac OS X 10.x -> 10.3.x versions all write plain test data to virtual memory swap files stored at /private/var/vm/ in the format: swapfile0, swapfile1, etc. Research has shown that swap files can contain passwords from File Vault, login and KeyChain - nullifying the protection they provide. Access to swapfiles can be made through admin access or via startup from an external drive, another partition, OS X or other startup CD. Full open firmware protection will not protect your computer from this if the attacker has physical access to the computer it can be quickly bypassed. Swap files are erased unsecurely at startup, and will leave traces of data over the entire start-up disk/partition.

The Solution: For those of you that are paranoid or require a more secure system environment, the solution is turn swap off entirely. This will slow down your machine when doing processor-intensive tasks, but otherwise should be fine.

[robg adds: I haven't tested this one, and I think it may have an impact during memory-intensive tasks, not necessarily processor-intensive tasks as written above. Swap is an integral part of OS X, and I do not recommend disabling it. For instance, if you use up all available physical RAM, what happens when there's no swap available? Perhaps someone can chime in in the comments, but I believe your machine could lock up. Once again, I don't recommend doing this, but if you'd like to know how, read the rest of the hint.]

How To:

  1. Open Terminal in the Applications -> Utilities folder. Type the following, hitting Return after each command.

    cd /etc -- this brings you to the file you want to work with
    sudo cp /etc/rc /etc/rc.orig -- this makes a copy of the file etc/rc called etc/rc.orig; enter administrative password when asked.
    sudo pico /etc/rc -- this brings you into a text editing program to edit the file; enter administrative password when asked.

  2. Use the arrow keys to go down until you see one of these lines:

  3. Type # at the beggining of the dynamic pager line. HIt Control-X to save file then answer Y and hit Return.

  4. Type exit -- this logs you out of the Terminal session.

  5. Now delete the old swap files securely. In osx 10.3.x, type sudo srm /private/var/vm/swapfile*. In osx 10.2.x, you should use a security application such as PGP to securely delete any remaining swap files located in /private/var/vm/. The swap files are named: swapfile*

  6. Restart your computer and check to make sure swap is off. Start terminal and type ls -al /private/var/vm/ -- this lists the contents of /private/var/vm/. You should see no files named: swapfile*

  7. Wipe free space on your startup disk or partition, as swap files will leak information to all areas of free space. iWipe is a shareware application () that will wipe free space. iWipe in demo mode will wipe free space. bcwipe (download and compile from source, or install via Fink) can also be used to wipe free space on any disk or partition. Open Terminal and type bcwipe -F /volumes/YOUR_VOLUME/.

Original BugTraq posts (1, 2) describing the security problems and how to exploit them.
Info on moving swap and how swap works

Disclaimer: I have no connections to Apple, Jetico or Freshly Squeezed Software. Turning your swap off may cause problems when trying to do functions that require large amounts of memory, resulting in your system freezing.

Comments (21)

Mac OS X Hints