On Thu, Apr 10, 2014 at 1:09 PM, Scott G. Kelly <[email protected]> wrote: > A friend and I were discussing this. If the memory management is "lazy" > (doesn't clear on page allocation/free), and if processes don't clear their > own memory, I wondered if heartbleed would expose anything. My friend thinks > "modern" operating systems clear memory to prevent inter-process data > leakage. Of course, I agree that this is security goodness, but I wonder if, > in the name of performance, this is "optional". > > I'm poking around in linux memory management code in between other tasks, > but I'll bet somebody here knows the answer. Anyone?
Last I remembered (and this was a long time ago; 10+ years, so things may have changed), the heap managed by malloc / free generally does not automatically clear the free'd or new allocated memory using something like memset by default. That is up to the application.Usually that is done by the application calling calloc() rather than malloc() when requesting memory from the heap. There may also be some explicit alternate memory allocation libraries (e.g., libmalloc might have this abilitiy; too lazy to look it up and it's be a LONG time). Also, the memory allocated on the stack (e.g., local variables and function arguments) is usually not cleared before use, although I suppose there could be some compilers that might / could do that. When memory is returned to the operating system, things may be different because it could be a different process that grabs that memory segment. So, is most of the cases that I've seen, it is considered good practice for the OS to that whenever the kernel maps some memory page to user address space. I believe that Linux does this but I've never done kernel programming in Linux, but only on AT&T SVR[2,3,4] UNIX. At the time, it was done in SVR4, but it was inconsistent in that do all of the kernel used the same memory allocation routines. (The kernel itself didn't generally clear memory for it's own use as it already had access to all memory address space.) I'm not sure if that answers your question or not. If not, well, like I said it's be a long time that I've written C/C++ programs and even longer since doing an serious kernel work. -kevin _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
