> -----Original Message----- > From: cryptography [mailto:[email protected]] On Behalf > Of Kevin W. Wall > Sent: Friday, April 11, 2014 00:20 > To: Scott G. Kelly > Cc: Crypto discussion list > Subject: Re: [cryptography] question about heartbleed on Linux > > On Thu, Apr 10, 2014 at 1:09 PM, Scott G. Kelly <[email protected]> > wrote: > > A friend and I were discussing this. If the memory management is "lazy" > > (doesn't clear on page allocation/free), and if processes don't clear > > their own memory, I wondered if heartbleed would expose anything. My > > friend thinks "modern" operating systems clear memory to prevent > > inter-process data leakage. Of course, I agree that this is security > > goodness, but I wonder if, in the name of performance, this is > "optional". > > > > I'm poking around in linux memory management code in between other > > tasks, but I'll bet somebody here knows the answer. Anyone? > > Last I remembered (and this was a long time ago; 10+ years, so things may > have changed), the heap managed by malloc / free generally does not > automatically clear the free'd or new allocated memory using something > like memset by default. That is up to the application.Usually that is done > by the application calling calloc() rather than malloc() when requesting > memory from the heap. There may also be some explicit alternate memory > allocation libraries (e.g., libmalloc might have this abilitiy; too lazy > to look it up and it's be a LONG time). > > Also, the memory allocated on the stack (e.g., local variables and > function arguments) is usually not cleared before use, although I suppose > there could be some compilers that might / could do that.
Note that in the case of Heartbleed, zeroing the memory on deallocation would not have prevented information leakage. The memory following the read buffer is not necessarily unallocated. It will likely be in use by other sessions or parts of the process. As a matter of fact, OpenSSL clobbers memory that was used to hold sensitive information by means of the OPENSSL_cleanse() function before deallocation. The fact that it was possible to exfiltrate keys through Heartbleed thus shows that zeroing by the heap manager would not have made much of a difference. --Felix _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
