On 23/08/12 21:12, Tor Lillqvist wrote: > 1. Don't eradicate the string content, > > I vote for this. Overwriting password in memory after use is security > theater.
well it doesn't protect against every threat but i wouldn't call it mere theater; if you don't overwrite the password it may well happen that that piece of memory is not allocated to something else and swapped out, and then you have the password on disk. (yes of course i'm running encrypted swap but please think of mere office users.) Viega & Messier's "Secure Programming Cookbook for C and C++" devote section "13.2 Erasing Data from Memory Securely" (3 pages) to the topic, warning readers that relying on standard memset function is dangerous because optimizing compilers may optimize the calls away if there is no subsequent use, and recommend a hand-written memset with "volatile char *" parameter instead. i don't think storing passwords in OUStrings is a good idea to begin with; something with a special purpose interface for that which does the right thing by default would be better; ideally the buffer used would be locked into memory to prevent it being swapped to disk (is it possible to do that as a non-root process?). of course i wouldn't be at all surprised if for the existing password-clearing uses there were a bunch of copies of the string made along the way that aren't cleared; that mistake is is just too easy to make if you use a generic string type. _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
