On 23/08/12 21:12, Tor Lillqvist wrote:
1. Don't eradicate the string content,
I vote for this. Overwriting password in memory after use is security
theater.
well it doesn't protect against every threat but i wouldn't call it mere
theater; if you don't overwrite the password it may well happen that
that piece of memory is not allocated to something else and swapped out,
and then you have the password on disk. (yes of course i'm running
encrypted swap but please think of mere office users.)
Viega & Messier's "Secure Programming Cookbook for C and C++" devote
section "13.2 Erasing Data from Memory Securely" (3 pages) to the topic,
warning readers that relying on standard memset function is dangerous
because optimizing compilers may optimize the calls away if there is no
subsequent use, and recommend a hand-written memset with "volatile char
*" parameter instead.
i don't think storing passwords in OUStrings is a good idea to begin
with; something with a special purpose interface for that which does the
right thing by default would be better; ideally the buffer used would be
locked into memory to prevent it being swapped to disk (is it possible
to do that as a non-root process?).
of course i wouldn't be at all surprised if for the existing
password-clearing uses there were a bunch of copies of the string made
along the way that aren't cleared; that mistake is is just too easy to
make if you use a generic string type.
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.