Software leaves encryption keys, passwords lying around in memory

Simon Fowler simon at
Wed Nov 6 16:18:15 EST 2002

On Wed, Nov 06, 2002 at 04:05:47PM +1100, Ben Elliston wrote:
> >>>>> "Vennonen," == Vennonen, Ari J <ari.vennonen=r3q2otnueiw at> writes:
>   Ari> future enhancement to the optimiser may turn it back into a
>   Ari> nop.  What it really needs is the addition of a #pragma
>   Ari> dont_remove_this_code_you_bastard in the compiler.  Until then,
>   Ari> a lot of security code will be affected by this problem.
> A cheap alternative is to disable the relevant optimisations.
That's probably rather painful on cryptographic software, unless the
important bits are written in hand-optimised asm. Just consider the
amount of cpu intensive stuff that's involved in implementing a
cipher . . . 

A much better approach would be to just make sure you /did/
something with the cleared memory afterwards. And being aware of the
need is rather important.

PGP public key Id 0x144A991C, or
(crappy) Homepage:
doe #237 (see 
My DeCSS mirror: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the linux mailing list