[Cryptography] Heartbleed and fundamental crypto programming practices

[Benjamin Kreuter]

> I happened to develop a system in C++, which is the only widely-used
> language that offers *compiler enforced*, user-programmable,
> cradle-to-grave control over memory allocation.

It is also one of the few languages where this is of critical
importance.

> By putting the code to zero the memory into the destructor, I could
> guarantee that no RedString could make it back to the free list without
> being cleared.  There's no way to do that in any other language I know
> of.

Again, this is critical in C and C++ where you have no particular
guarantees about memory safety.  It is certainly relevant in other
contexts, but not nearly as important as it is in languages where you
can read memory directly and ignore whatever abstractions you have set
up.

>  That means you have to enforce the discipline yourself.

As opposed to all the discipline you must enforce by yourself in C++?  A
dangling pointer could cause key material to be copied somewhere else,
and then your whole technique becomes irrelevant.

For what it's worth, it is possible to do something similar with most
Lisp compilers I know of.  You can create an array, pin it (so the GC
will not copy it), and then clear it and unpin when you are done.  A few
macros to ensure this always happens for sensitive data, and you get
exactly what you described from C++ -- and you do not need to worry that
some dangling pointer somewhere will break your abstraction.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140413/997f5616/attachment.pgp>