Skip to main content
Information Security

Timeline for Would it be good secure programming practice to overwrite a "sensitive" variable before deleting it?

Current License: CC BY-SA 3.0

28 events
when toggle format what by license comment
Mar 15, 2017 at 15:28 history edited CommunityBot
replaced http://meta.security.stackexchange.com/ with https://security.meta.stackexchange.com/
Feb 5, 2016 at 13:02 history edited Rory Alsop CC BY-SA 3.0
added 496 characters in body
S Dec 20, 2014 at 15:21 history bounty ended Lucas Kauffman
S Dec 20, 2014 at 15:21 history notice removed Lucas Kauffman
Dec 17, 2014 at 7:52 answer added mincewind timeline score: -2
Dec 17, 2014 at 7:20 answer added PaulOverflow timeline score: 1
Dec 16, 2014 at 12:48 answer added user10211 timeline score: 8
S Dec 16, 2014 at 12:47 history bounty started Lucas Kauffman
S Dec 16, 2014 at 12:47 history notice added Lucas Kauffman Draw attention
Dec 9, 2014 at 19:25 comment added MrWhite Whilst most answers mention the benefit of overwriting the data (if possible), I can't see the benefit of overwriting "a few times in a loop" as suggested in the question, but not touched on by the current batch of answers AFAICS. Unless this data is being written to a magnetic medium and the attacker has low level access to the system then I would have thought that overwriting once should be sufficient? Or is multiple writes still beneficial?
Dec 8, 2014 at 6:22 comment added user29925 Zeroization is required by NIST's FIPS 140-2, even at Level 1 validations. Attackers do use the memory, and they don't need to be local. For example, we know the NSA will log Windows Error Reporting into its XKeyscore system to help gain unauthorized access.
Dec 7, 2014 at 5:49 answer added Andy Dent timeline score: 3
Dec 6, 2014 at 16:45 answer added Cort Ammon timeline score: 19
Dec 6, 2014 at 12:25 comment added Ruslan The C/C++ compiler is actually free to optimize your overwritings away unless you have declared your variable as volatile, because they don't change the result of executing the code (the value is not used anywhere).
Dec 5, 2014 at 12:00 answer added ratchet freak timeline score: 2
Dec 5, 2014 at 8:53 comment added Alexander @rkosegi that's why one should use byte[], not string, for keys.
Dec 5, 2014 at 3:37 answer added Ari Trachtenberg timeline score: 4
Dec 4, 2014 at 21:43 comment added Stephen Touset See libsodium's sodium_malloc as an implementation of that.
Dec 4, 2014 at 21:42 comment added Stephen Touset Not only is this a good idea, but other steps you might want to take are to mlock the memory (to ensure it's not written to swap), mprotect the page so that it's read-only once the secret data has been initialized (also possibly to mark the page as non-accessible at all except in the small windows in which you intend to access it), to have a "canary" value written to memory immediately after the secret to detect during dealloc if it's been overwritten by an overflow, and to allocate extra non-accessible guard pages before and after the secret to SEGV on overflow and underflow.
Dec 4, 2014 at 21:26 history tweeted twitter.com/#!/StackSecurity/status/540618264817455104
Dec 4, 2014 at 19:44 comment added rkosegi Also note that strings in java are immutable, so overwriting (assigning new value to reference variable) will have no effect.
Dec 4, 2014 at 18:36 comment added ereOn Note that this can be tricky depending on the language. (See the two linked questions and especially their answers)
Dec 4, 2014 at 18:05 comment added Gilles 'SO- stop being evil' See also: the operating system-level view
Dec 4, 2014 at 18:02 answer added Gilles 'SO- stop being evil' timeline score: 14
Dec 4, 2014 at 17:13 vote accept Jonathan
Dec 4, 2014 at 16:45 answer added Lawtonfogle timeline score: 35
Dec 4, 2014 at 16:26 answer added makerofthings7 timeline score: 75
Dec 4, 2014 at 16:18 history asked Jonathan CC BY-SA 3.0
toggle format