Usage of memset to eradicate string content
Michael Stahl
mstahl at redhat.com
Thu Aug 23 12:59:08 PDT 2012
On 23/08/12 21:12, Tor Lillqvist wrote:
> 1. Don't eradicate the string content,
>
> I vote for this. Overwriting password in memory after use is security
> theater.
well it doesn't protect against every threat but i wouldn't call it mere
theater; if you don't overwrite the password it may well happen that
that piece of memory is not allocated to something else and swapped out,
and then you have the password on disk. (yes of course i'm running
encrypted swap but please think of mere office users.)
Viega & Messier's "Secure Programming Cookbook for C and C++" devote
section "13.2 Erasing Data from Memory Securely" (3 pages) to the topic,
warning readers that relying on standard memset function is dangerous
because optimizing compilers may optimize the calls away if there is no
subsequent use, and recommend a hand-written memset with "volatile char
*" parameter instead.
i don't think storing passwords in OUStrings is a good idea to begin
with; something with a special purpose interface for that which does the
right thing by default would be better; ideally the buffer used would be
locked into memory to prevent it being swapped to disk (is it possible
to do that as a non-root process?).
of course i wouldn't be at all surprised if for the existing
password-clearing uses there were a bunch of copies of the string made
along the way that aren't cleared; that mistake is is just too easy to
make if you use a generic string type.
More information about the LibreOffice
mailing list