Am 18.05.2014 19:02, schrieb Daniel Stenberg:
> This option only disables the random fill of the free data, it still
> overwrites memory - only with zeros instead. So it doesn't disable
> memory overwrite at all.
You are right, originally the patch included the following hunk:
+#ifdef LIBSSH2_MEMORY_OVERWRITE
+ if (len > 0)
+ _libssh2_wincng_random(buf, len);
+#endif
instead of
+#ifdef LIBSSH2_MEMORY_OVERWRITE
+ if (len > 0)
+ _libssh2_wincng_random(buf, len);
+#else
+ if (len > 0)
+ memset(buf, 0, len);
+#endif
I changed this during the latest rebase to always at least overwrite the
data with zeros.
> A question though: is there really anyone who suggests that it is
> safer to fill the data with random data rather than just zeros? I just
> can't see the point with doing such a slow operation and waste random
> seed on this.
I don't have specific expertise in this area, but I think a reason could
be that a compiler might be tempted to optimize memset(buf, 0, len) out.
Looking at the memory erasure procedure of the Tails operating system
[1], it seems like overwriting with zeros is enough:
> Actual memory erasure process
>
> The software that performs the actual memory erasure is sdmem, which
> is part of the secure-delete package. sdmem is called using the -v
> (verbose mode) option to give feedback to the user, as well as the
> -llf options: memory is only overwritten once with zeros; this is the
> fastest available mode, and is enough to protect against every memory
> forensics attack we know of.
[1] https://tails.boum.org/contribute/design/memory_erasure/
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2014-05-18