Hi, I doubt whether curl should go that way.
I so see a point in explicitly wiping previous url or credentials when the next one, or empty string, is specified. It would reduce, but not eliminate, a potential attack surface. However, generic wipe of memory is expensive but doesn't solve the potential vulnerability. One can't malloc() all memory and get data from another application on Linux/Windows as these OS-es won't let that happen? One can peek in process memory only when the privileges allow. Overwriting credentials reduces the window in which this data is visible but in the end curl needs to have it at least for the duration of the transfer. So, the risk is reduced but not eliminated. And even when an application removes credentials from curl, it is likely to have them somewhere else in memory, still in reach of debug tools. Same for data. I think secure deployment of an application should be arranged by proper isolation on OS level, so others can't peek into it. Smaller systems may have realtime OS-es that don't clear memory between processes for performance reasons. I don't think curl should do an expensive wipe by default on such systems. That said, explicit wipe of the most sensitive parts, probably controlled by the application through options, would be low-cost, and reduces the chance of exporting them in core dumps, etc. My 2ct, Erik -----Original Message----- From: curl-library <[email protected]> On Behalf Of Gabriel Zachmann via curl-library Sent: vrijdag 19 oktober 2018 10:56 To: libcurl development <[email protected]>; Daniel Stenberg <[email protected]> Cc: Gabriel Zachmann <[email protected]>; Hardt, Marcus <[email protected]> Subject: Re: libcurl leaks information in freed memory On 19.10.18 08:58, Gabriel Zachmann via curl-library wrote: > get the length. But yes, if all allocated memory should be freed, we > have to keep track of the size. A simple way to do so is using an > custom allocator that allocates more memory as requested and saves the > size in the memory before the pointer it returns. I attached some code that should be capable of doing so. > And measuring if the cleared memory was really cleared is also not that > trivial. We can use the following commands to do so: gcore -o /tmp/xxxx $PID cat /tmp/xxxx.$PID | strings | grep yyy and use a characteristic string for yyy, so we can see if that string was really removed from memory. But that would not be a simple unit test. -- Gabriel ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
