Maybe a stupid idea: - On boot, the kernel generates a random key, and stores it somewhere in kernel-reserved memory - Kernel space is (obviously) left untouched - The rest of the virtual memory space (both physical and swap) is scrambled with a fast symmetric algorithm like Blowfish or AES, preferably with a block size larger than the page size - When pages are retrieved from memory or swap, they're first decrypted by the kernel - When pages are put back in memory or swap, they are encrypted My thinking on this is that a LOT of exploits rely on the physical layout of stuff in main memory; so transparently encrypting it, with a symmetric key stored somewhere in protected kernel space, would make things very very difficult for an attacker. My questions... 1. Is this even possible? My understanding of CPU and memory architecture may be inadequate here. 2. Would it actually have any significant impact on the efficacy of memory exploits? Which classes of exploits would it help with? I would expect stack smashing to be made difficult for instance, but exploits against e.g. null pointer dereferences to be unaffected. 3. Finally, if yes to both of the above... Is it practical? Even "fast" cyphers like AES can be pretty slow. Am I barking entirely up the wrong tree here?