Re: [Passwordsafe-devel] SecureAllocator

[Steve L. <st...@is...>]

> Message: 3
> Date: Fri, 21 Jun 2002 00:39:06 -0400
> From: Edward Elliott <pas...@ed...>
> To: 'PasswordSafe Development' <pas...@li...>
> Subject: Re: [Passwordsafe-devel] SecureAllocator
>
> Nice job, James.
>

> 3) Clearing memory before releasing it is not the only issue.  In
> fact, I seem to recall reading somewhere that some Windows OSes zero
> out all memory pages that are returned to the system (though I could
> be wrong about this).  In any case, what worries me more is paging out
> of keys and passwords to the swap file, where they can remain on disk
> much longer than the lifetime of the program.  Some more work to add,
> but doable.
>


1. WinNT guarantees to have zeroed memory before another app asks for it.
But the zeroing can be done in a low priority thread; it can hang around in
unallocated state for some time. I am not sure about the win9x guarantees,
or more importantly, how seriously to take them.

2. It's hard to stop memory being paged out. There is an api cal for NT, ::
VirtualLock () that can do it;  The app/user needs SE_INC_BASE_PRIORITY_NAME
rights to be able to do this, which makes it not very useful. And its a
no-op on Win9x.

3. My main fear is of laptop hibernation, at the bios level or into a
hibernation file. The tactic here must be to go into 'erase everything' mode
when a suspend or hibernate WM_POWER message comes in, but I also recommend
doing the same thing when the app wakes up; a laptop's 'panic' shutdown can
hibernate without sending a message out to anything

4. the only way to really hide this stuff is in a device driver. MS have a
service in winXP for this purpose, but I havent explored it.

-Steve