> > > OpenBSD has the explicit_bzero function to reliably (i.e. even if not > observable in the C abstract machine) overwrite memory with zeroes. > WG14 is currently considering adding similar functionality to C2X. > > Considered options include: > > * A function like explicit_bzero or memset_explicit, that overwrites the > memory with a known value. > * A function like memclear, that overwrites the memory in an > implementation-defined manner, possibly using random data. > > Is there a rationale why OpenBSD went with their explicit_bzero design? > Were alternatives considered and rejected? >
Well, from what I remember it was put there in order to combat the fact that compilers started to skip generating code for which they thought they knew the thinking behind the source, and that if you bzero() some area and don't read it you were not interested in the area and would not mind that the compiler skipped the bzero altogether for a nice speedup. Given the normal security stance of OpenBSD, not clearing out keys and passwords for a perceived "speed increase" was considered bad and stupid, and hence a function was created so that the compiler could not recognize the name "bzero" and silently take away the key/pw-clearing parts of the code. So, given that one would mainly use this to wipe a key/pw as soon as it is not used anymore AND that no later part of the code will be reading that buffer again (which is why it was optimized away), there would be little incentive to have memset_explicit to some other nonzero value which you would not read ever, nor to have random data there you also never read again. If your program did care about the contents after a call to any of these other *_explicit() versions then they would not be needed since the compiler would not remove the original bzero()/memset() to begin with. This, I would think, would be the reason for not having "fancy" versions of choose-what-byte-to-wipe-the-key-with functions. I don't see much of a threat in someone seeing my code writing zeros if they could snoop the bus during the cleaning, nor a RAM version of the old disk myth of <random secret agency> can read 1-5-10 old versions of your data on a harddrive by reading slightly to the side of the track so you must overwrite with random data 10 times to cover your tracks. Perhaps I am not paranoid enough? -- May the most significant bit of your life be positive.
