[Passwordsafe-devel] SecString class
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
[Passwordsafe-devel] SecString class
|
From: Edward E. <ed...@ya...> - 2002-03-01 00:28:21
|
Hi all,
A few weeks ago, ignorant of this list, I emailed Jim Russell about a
problem with the PWSafe source. I noticed the SecString class at that
time was subclassing std::string, which is a big no-no since
std::string
has no virtual destructor. In some instances, this can lead to the
SecString destructor never being called, and hence the memory buffer
with the SecString contents never getting cleared.
I suggested a better approach would be to write an allocator that
clears memory on release, then make SecString an instantiation of
the std::string template using this allocator. The beauty of this
solution is you can create any STL container that clears its memory on
release. I mentioned I would be writing such an allocator class myself
soon for another project and would gladly provide a copy of the source.
Well, as I was browsing the Crypto++ library I came across an allocator
class (template, actually) written by a Denis Bider that does exactly
that. On Windows platforms, it also attempts to lock the pages in
memory with the VirtualLock() system call. I was contemplating adding
this functionality to my allocator as well, although the MSDN
information is conflicting as to whether VirtualLock actually locks the
pages in memory or just hints to the OS that is should do so. Anyway,
the allocator is available (no license restrictions) as part of the
BSL library at
http://www.bitvise.com/bsl.html
I don't know this Denis Bider and I can't vouch for the quality of
the code. But on first pass it looks reasonably solid. My one
complaint would be the simplistic memory overwriting which merely
zeroes the memory out one time, but this can easily be changed. I
hope to give the code a more thorough review in the near future. At
that time I will inform this list of my findings and provide and code
changes I make. Thanks,
Edward Elliott
__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com
|
