On Monday, 6 May 2019 at 17:57:55 UTC, Cym13 wrote:
So what I'm trying to say is that, given your threat model, it does not seem relevant to protect against memory disclosure specifically: you want to protect against the larger and more common threat of memory corruptions and that happens to cover your current threat model.
Yes, I agree. So most important things are to keep boundscheck on, no plaintext passwords on hard disk and a restarter process separate from worker process. And no needless secrets on the server to protect in the first place, of course.
Unless what you want to protect is very very sensitive erasing passwords from memory would most likely be wasted time. But that's something that only you can assess.
I assess that it's extra that won't hurt if I can easily do it and are in mood to, but I should not be pushing other work or kicking myself to implement it. Thanks for the analysis.
