|
Boost : |
Subject: Re: [boost] [xint] Boost.XInt formal review
From: Chad Nelson (chad.thecomfychair_at_[hidden])
Date: 2011-03-10 19:24:52
On Thu, 10 Mar 2011 09:15:28 -0800
Scott McMurray <me22.ca+boost_at_[hidden]> wrote:
>>> Just a thought: Maybe the Allocator should handle this, since it's
>>> related to memory management?
>>
>> I've been debating that since I read your message last night, and I
>> don't have an answer. It would make sense, but it would also make it
>> more difficult for someone who just wants to clear the memory when
>> it's released. I can see uses where that would be sufficient.
>
> Can you elaborate on why someone would want to clear the memory, but
> not want to actually be secure?
Airtight security is a hard problem that requires massive amounts of
time and attention to get right, and is best reserved for programs that
absolutely require it.
Barring extremely sensitive information like government-level secrets,
there are generally only two things that a developer needs to worry
about: that sensitive data might be written to disk by the OS, and that
it might be retrieved from memory, either by malware while the machine
is running or by physical means immediately after removing power.
Depending on the OS involved, setting a piece of memory to never be
paged to disk could be easy or impossible. But other than a very small
window of opportunity, clearing memory prevents retrieving data from it
regardless of the means, and makes it much less likely that such data
would get written to disk. If the system has a sufficiently large
amount of memory, the person using it could even disable the swapfile
completely, in which case clearing memory would provide all the
security he's likely to need.
-- Chad Nelson Oak Circle Software, Inc. * * *
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk