#11 Add information about removing sensitive information from memory
Merged 4 years ago by huzaifas. Opened 4 years ago by huzaifas.
huzaifas/defensive-coding-guide scrub-sensitive-info  into  master

@@ -130,3 +130,36 @@ 

  Generating randomness for cryptographic keys in long-term use

  may need different steps and is best left to cryptographic

  libraries.

+ 

+ == Removing Sensitive information from memory

+ 

+ Sensitive data such as password, cryptographic keys etc, should be removed 

+ from memory as soon as possible, once this information is no longer required.

+ 

+ However compiler optimizations make this erasure operation difficult, since the

+ compiler deems this code as unnecessary and often removes it from the compiled

+ binary. For example a call to memset or a loop which zero's out each byte of 

+ an array may be optimized out during compilation.

+ 

+ This problem can be addressed by using `explicit_bzero()`. Calls to this

+ function are never optimized by the compiler.

+ 

+ However, as per the `explicit_bzero()` documentation there are some

+ things to consider:

+ 

+ * The `explicit_bzero()` function does not guarantee that sensitive data is

+ completely erased from memory. For example, there may be copies of the

+ sensitive data in a register and  in  "scratch"  stack  areas. The

+ `explicit_bzero()` function is not aware of these copies, and can't erase them.

+ 

+ * In some circumstances, `explicit_bzero()` can decrease security. If the

+ compiler determined that the variable containing the sensitive data could

+ be optimized to be stored in a register (because it is small enough to fit

+ in a register, and  no operation  other than the `explicit_bzero()` call

+ would need to take the address of the variable), then the `explicit_bzero()`

+ call will force the data to be copied from the register to a location in

+ RAM that is then immediately  erased (while the copy in the register remains

+ unaffected).  The problem here is that data in RAM is more likely to be

+ exposed by a bug than data in a register, and thus the `explicit_bzero()`

+ call creates a brief time window where the sensitive data is  more vulnerable

+ than it would otherwise have been if no attempt had been made to erase the data.

Signed-off-by: Huzaifa Sidhpurwala huzaifas@redhat.com

Pull-Request has been merged by huzaifas

4 years ago
Metadata