Philipp Klaus Krause <p...@spth.de> wrote: > OpenBSD has the explicit_bzero function to reliably (i.e. even if not > observable in the C abstract machine) overwrite memory with zeroes. > > WG14 is currently considering adding similar functionality to C2X.
Then perhaps in the interests of the public they should use the same name, but I suspect they won't. > Considered options include: > > * A function like explicit_bzero or memset_explicit, that overwrites the > memory with a known value. We have never needed any value other than zero. > * A function like memclear, that overwrites the memory in an > implementation-defined manner, possibly using random data. This option is pretty laughable, because the compiler has no way to collect random data. Their is nothing portable the compiler can call to get the random data. I've personally worked on making this possible for more than a decade, and it is still not all there. > Is there a rationale why OpenBSD went with their explicit_bzero design? > Were alternatives considered and rejected? Our rationale was coping with the C commitees changing C into an unsafe language. They decided to completely ignore risk factors associated with the memory state, in particular the exploitation of left-overs. In their high chairs, they decided concrete is strong enough and bridges don't need rebar. We built a function that cannot be skipped, and we chose a name for it. The two ideas you listed are overbuilt and silly.
