By: Doug S (foo.delete@this.bar.bar), October 4, 2021 1:20 pm
Room: Moderated Discussions
Andrey (andrey.semashev.delete@this.gmail.com) on October 4, 2021 12:14 pm wrote:
> I'm not a security expert, but I think security critical software has to launder sensitive data before freeing
> the memory (to the memory allocator or system). This makes sense because in general you don't know whether
> the freed memory (e.g. via free()) will be reallocated by a subsequent allocation or dumped in a core dump
> or swap. Given this, there is no security reason to zero pages upon reclaiming by the kernel, other than
> when the process is forcefully terminated by a signal. There's also a lot less sensitive data than non-sensitive,
> so zeroing pages unconditionally would mean unnecessary overhead for everyone.
>
> Note I'm not talking about allocating pages to a process. Here, zeroing needs
> to happen, preferably lazily, to ensure no data is leaked between processes.
If it is well written you would expect that, but you can't assume it will all be well written. There are also some things that "shouldn't" be sensitive but turn out to be or have been used for an unintended purpose. There are also some cases where doing this isn't possible - for example the file cache could contain sensitive information and the application can't zero that itself.
> I'm not a security expert, but I think security critical software has to launder sensitive data before freeing
> the memory (to the memory allocator or system). This makes sense because in general you don't know whether
> the freed memory (e.g. via free()) will be reallocated by a subsequent allocation or dumped in a core dump
> or swap. Given this, there is no security reason to zero pages upon reclaiming by the kernel, other than
> when the process is forcefully terminated by a signal. There's also a lot less sensitive data than non-sensitive,
> so zeroing pages unconditionally would mean unnecessary overhead for everyone.
>
> Note I'm not talking about allocating pages to a process. Here, zeroing needs
> to happen, preferably lazily, to ensure no data is leaked between processes.
If it is well written you would expect that, but you can't assume it will all be well written. There are also some things that "shouldn't" be sensitive but turn out to be or have been used for an unintended purpose. There are also some cases where doing this isn't possible - for example the file cache could contain sensitive information and the application can't zero that itself.