At 10:09 AM 4/10/2014, Scott G. Kelly wrote: >Does heartbleed allow one to read (discarded, freed) physical memory >containing data from the OS and/or other processes in linux? > >A friend and I were discussing this. If the memory management is "lazy" >(doesn't clear on page allocation/free), and if processes don't clear their >own memory, I wondered if heartbleed would expose anything. My friend thinks >"modern" operating systems clear memory to prevent inter-process data leakage. >Of course, I agree that this is security goodness, but I wonder if, in the >name of performance, this is "optional". > >I'm poking around in linux memory management code in between other tasks, but >I'll bet somebody here knows the answer. Anyone?
Well, the operating system clears memory when it is allocated to a new process, but that doesn't matter. The residue containing memory sits around until it's needed. And quite possibly during that time before it is re-allocated it is subject to disclosure via heartbleed. Ron _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
