[PATCH] Erase memory before freeing.

Ben Kibbey bjk at luxsci.net
Wed Aug 3 00:25:04 CEST 2016


On Tue, Aug 02, 2016 at 12:07:45PM +0200, Werner Koch wrote:
> Hi Ben,
> 
> Please describe your threat model or use case for this change.
> 
> Note that in Libgcrypt we put extensive work into wiping only memory
> with sensitive information.  We also make sure to wipe the lowest number
> of bytes possible so to avoid cache pollution.

I was thinking about import/export of secret keys. But now that you
mention it, replacing the assuan memory hooks is overkill. The wiping of
memory is already done for the stack buffers in the callbacks. It is
done for every call to the callback without parsing anything so that may
be expensive, I don't know. Yet there is no telling what could be laying
around after the final call.

-- 
Ben Kibbey



More information about the Gnupg-devel mailing list