On Sun, Mar 15, 2009 at 07:29:16PM -0400, Geoffrey Irving wrote: > On Sun, Mar 15, 2009 at 7:22 PM, Philipp Klaus Krause <[email protected]> wrote: > > Since you want the zeroing done for security reasons: Wouldn't it make > > much more sense to zero upon deallocation? > > That isn't feasible in a garbage collected language with no > finalizers. Memory in a fully garbage collected language isn't so > much deallocated as forgotten: once all pointers to a block disappear > it's impossible to know whether the memory is in order to zero it.
The point here would be that you do keep a pointer to the data, until you zero it explicitly. If you know that you zero the area *after* it has been filled with sensitive data, the only danger is to zero it too soon (while there are still references to that area held elsewhere), but that's not a security problem. In any case, you will zero it before the GC reclaims it, taking care of that particular security risk. If you try to do the above but fail, that's a programming error, one of the many that risk sharing data with the wrong part of the application. Without some kind of more comprehensive capability framework, a GC zeroing reclaimed data is not that useful, IMHO. There are just too many ways to expose sensitive data to the "wrong" function through a mundane programming error. _______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
