It sounds like you've got a way forward on leaks via the malloc() system within 
the process space.

Be aware that depending on your system (and the attackers' capabilities), you 
might have to worry about other leaks. For instance, if I did a query that 
involved a FLOAT index, and then closed the sqlite session and cleared the 
zero-malloc block, it wouldn't be at all surprising if some float values 
related to database contents, or to my query, were still in

1) The region of the C process stack that was reached by some deep call stack.
2) Processor registers.
3) Process pages that were copied to disk by the OS (this could be a problem 
even if you otherwise have a good handle on clearing malloc() blocks).

Regards,
Bill

-----Original Message-----
From: Max Vlasov [mailto:max.vla...@gmail.com]
Subject: [sqlite] Best way to wipe out data of a closed database

Hi,

in an application that implements encryption/decryption with VFS, what is the 
best way to ensure that the memory of the application doesn't contain decrypted 
data after the database is closed. So no side application could retrieve 
sensitive information by reading this process memory. Not only the base as a 
whole but also fragments of database sectors anywhere in the process memory 
space.

One of the trick possible is to add additional zeroing out to the global free 
handler, but this can probably introduce performance penalties.

Is there any other way to do this?

Thanks,

Max


**************************************************************************************
This e-mail and any attachments thereto may contain confidential information 
and/or information protected by intellectual property rights for the exclusive 
attention of the intended addressees named above. If you have received this 
transmission in error, please immediately notify the sender by return e-mail 
and delete this message and its attachments. Unauthorized use, copying or 
further full or partial distribution of this e-mail or its contents is 
prohibited.
**************************************************************************************
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to