Boost :

From: Ruben Perez (rubenperez038_at_[hidden])
Date: 2024-07-09 12:28:00

• Next message: Artyom Beilis: "Re: A secure string library?"
• Previous message: Dennis Luehring: "Re: Boost 1.85, Windows, VS2022 17.10.3, build does not create any libs on building boost"
• Next in thread: Artyom Beilis: "Re: A secure string library?"
• Reply: Artyom Beilis: "Re: A secure string library?"
• Reply: Vinnie Falco: "Re: A secure string library?"
• Reply: Andrey Semashev: "Re: A secure string library?"
• Reply: Rainer Deyke: "Re: A secure string library?"

Hi all,

Boost.MySQL and Boost.Redis need to hold sensitive information, like
passwords, to work. Using std::string may be sufficient for many use
cases, but it's not the best security practice. std::string doesn't
wipe its memory on cleanup, resulting in the password remaining in
memory for an indeterminate amount of time.

Other languages like C# implement a SecureString class that wipes
memory on destruction. Crypto++ implements a similar concept, but it's
a big dependency I'm not willing to take.

I'd like to know whether everyone else's opinion on this:

* Have you faced this issue before?
* Do you think this is something we (as Boost authors) should care
about, or am I thinking too much?
* Do you think a library implementing secure string/array/buffer
classes would be a valuable addition to Boost?

Thanks,
Ruben.

• Next message: Artyom Beilis: "Re: A secure string library?"
• Previous message: Dennis Luehring: "Re: Boost 1.85, Windows, VS2022 17.10.3, build does not create any libs on building boost"
• Next in thread: Artyom Beilis: "Re: A secure string library?"
• Reply: Artyom Beilis: "Re: A secure string library?"
• Reply: Vinnie Falco: "Re: A secure string library?"
• Reply: Andrey Semashev: "Re: A secure string library?"
• Reply: Rainer Deyke: "Re: A secure string library?"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk