Protecting sensitive data [was Re: Cleanup for cryptographic
algorithms vs. compiler optimizations]
Peter Jeremy
peterjeremy at acm.org
Mon Jun 14 00:54:58 UTC 2010
On 2010-Jun-13 10:07:15 +0200, Dag-Erling Smørgrav <des at des.no> wrote:
>You always overwrite passphrases, keys etc. as soon as you're done with
>them so they don't end up in a crash dump or on a swap disk or
>something.
Which brings up an associated issue: By default, mlock(2) can only be
used by root processes. It would be really handy if non-privileged
processes could lock small amounts of VM so they can securely handle
passwords, passphrases, keys, etc. MAC offers the option of allowing
non-root processes access to mlock() but doesn't provide any
restrictions on the amount of memory they can lock.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20100614/73304291/attachment.pgp
More information about the freebsd-current
mailing list