From owner-freebsd-hackers Sat Oct 19 17:22:45 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA23647 for hackers-outgoing; Sat, 19 Oct 1996 17:22:45 -0700 (PDT) Received: from po2.glue.umd.edu (po2.glue.umd.edu [129.2.128.45]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA23640 for ; Sat, 19 Oct 1996 17:22:43 -0700 (PDT) Received: from baud.eng.umd.edu (baud.eng.umd.edu [129.2.98.183]) by po2.glue.umd.edu (8.8.1/8.7.3) with ESMTP id UAA19722; Sat, 19 Oct 1996 20:22:39 -0400 (EDT) Received: from localhost (chuckr@localhost) by baud.eng.umd.edu (8.7.5/8.7.3) with SMTP id UAA09536; Sat, 19 Oct 1996 20:22:38 -0400 (EDT) X-Authentication-Warning: baud.eng.umd.edu: chuckr owned process doing -bs Date: Sat, 19 Oct 1996 20:22:38 -0400 (EDT) From: Chuck Robey X-Sender: chuckr@baud.eng.umd.edu To: Terry Lambert cc: thorpej@nas.nasa.gov, dnelson@emsphone.com, ache@nagual.ru, deraadt@theos.com, hackers@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c In-Reply-To: <199610192354.QAA03149@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 19 Oct 1996, Terry Lambert wrote: > I liked PHK's suggestion of seeting a flag for the malloc() system > such that free()'s cleared memory. It is unfortunately naieve, if > my application watermarks total buffer allocation and uses a free > list as a mechanism for fast reallocation of a class of object. For > applications using this approach, the objects put on the free list > but not actually freed will continue to contain potentially sensitive > data. > > For what it's worth, the db fix will fail under similar use. > > Finally, it's interesting to note that these speed-driven optimizations > which open the holes are often the result of attempts by OS and library > designers to close holes at the expense of performance. > > > It seems to me that the correct approach is to provide a conditional > interface to any caching library system -- whether it be db or stdio > or some other interface -- to explicitly dump the cache contents, and > then expect the application writers to take note of potential problem > situations and generate correct code to deal with them. If one could set such a flag globally, then all the stuff in libc that uses malloc could be written to look at that global flag and DTRT, without changing any of the interfaces at all. Set the flag in crt0 to the current action (no action) and things in fact would not change at all, no speed penalty. Doesn't sound like a bad idea at all. > > One could arge that my knowledge that you are running on a Televideo > terminal would make you subject to "send screen to host" based attacks > (which I will note, I have personally used in system-cracking exercises > to obtain "sensitive" exercise target information). Should we then > zero the environment, which contains the TERM entry? What about the > termcap entry, for which libtermcap.a would count as a caching library > system? > > > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > ----------------------------+----------------------------------------------- Chuck Robey | Interests include any kind of voice or data chuckr@eng.umd.edu | communications topic, C programming, and Unix. 9120 Edmonston Ct #302 | Greenbelt, MD 20770 | I run Journey2 and n3lxx, both FreeBSD (301) 220-2114 | version 2.2 current -- and great FUN! ----------------------------+-----------------------------------------------