[Mono-bugs] [Bug 44848][Wis] Changed - Zeroize data upon GC collect

bugzilla-daemon@rocky.ximian.com bugzilla-daemon@rocky.ximian.com
Sun, 15 Jun 2003 15:36:57 -0400 (EDT)

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by bmaurer@users.sf.net.


--- shadow/44848	Sun Jun 15 14:30:42 2003
+++ shadow/44848.tmp.17327	Sun Jun 15 15:36:57 2003
@@ -2,21 +2,20 @@
 Product: Mono/Runtime
 Version: unspecified
 OS: All
 OS Details: 
 Status: NEW   
+Severity: Unknown
 Priority: Wishlist
 Component: misc
 AssignedTo: mono-bugs@ximian.com                            
 ReportedBy: spouliot@videotron.ca               
 QAContact: mono-bugs@ximian.com
 TargetMilestone: ---
 Summary: Zeroize data upon GC collect
 Description of Problem:
 After I recently added the code to zeroize the private keys for DSAManaged 
 and RSAManaged, Ben told me that the BigInteger code could still leak some 
@@ -33,6 +32,20 @@
 when the GC reclaims them ?" (and not when they are allocated).
 If so I believe that the performance impact would be much lower in the 
 runtime (C) than in the class library (C#). It would also be much safer 
 because it will (a) clear all data, (b) act as a second (albeit late) 
 zeroize for sensitive data. Anyway this shorten the vulnerability window.
+------- Additional Comments From bmaurer@users.sf.net  2003-06-15 15:36 -------
+Actually, I think it would be better to add an internal method:
+GC.ZeroizeFreeSpace (), which would zeroize all data that had been
+deallocated. This would have the advantage that we would not take the
+performance hit on regular allocations.
+Another idea would be to have a method:
+GC.MarkSensitiveData (object o) which would mark an object as
+"sensitive", meaning that when it was deallocated that it would
+automatically zeroized. Then, we could call GC.Collect () in the place
+where the api needs to zeroize sensitive data. This method would have
+the advantage that only data that was marked as sensitive would be
+zeroized, meaning that the performance hit would be even smaller.