On Sun, 20 Nov 2022, Howard Chu via curl-library wrote:
Here are some possible mitigations we could implement in curl:
Store sensitive keys in a dedicated mmap'd region, mprotect the region to remove
read access whenever the key isn't actively being used.
As we want to support lots of systems without mmap, that would just be one
solution to how to protect credentials. I think that's the smaller problem.
The bigger work I think is to make sure that we properly limit the
scope/lifetimes so that we can encrypt/protect/clear credentials immediately
after use and only have them readable in memory as short a moment in time as
possible.
But: I don't see anyone stepping up to the challenge of actually making this
happen so this is all hypothetical for now.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
