Philipp Klaus Krause (2020-08-10 21:00 +0200): > Am 10.08.20 um 17:00 schrieb Theo de Raadt: > > Philipp Klaus Krause <p...@spth.de> wrote: > > > >> OpenBSD has the explicit_bzero function to reliably (i.e. even if not > >> observable in the C abstract machine) overwrite memory with zeroes. > >> > >> WG14 is currently considering adding similar functionality to C2X. > > > > Then perhaps in the interests of the public they should use the same > > name, but I suspect they won't. > > The functionality (i.e. some way to reliably overwrite memory) already > exists under different names: explicit_bzero in OpenBSD,
explicit_bzero is also in glibc, musl, FreeBSD and DragonFly. > memzero_explicit in Linux, I think that is in the Linux *kernel*. > memset_s in the optional Annex K of the C > standard, explicit_memset in NetBSD, SecureZeroMemory in Windows etc. > > A problem with the explicit_bzero name is that it is not an identifier > reserved for future extensions of the C standard, unlike identifiers > starting with mem. > > > > >> Considered options include: > >> > >> * A function like explicit_bzero or memset_explicit, that overwrites the > >> memory with a known value. > > > > We have never needed any value other than zero. > > Thanks. I assume this will help WG14. > > > >> * A function like memclear, that overwrites the memory in an > >> implementation-defined manner, possibly using random data. > > > > This option is pretty laughable, because the compiler has no way to > > collect random data. Their is nothing portable the compiler can call > > to get the random data. I've personally worked on making this possible > > for more than a decade, and it is still not all there. > > This option under the name secure_clear apparently is the one preferred > by WG21, the C++ comittee. > > Philipp