Subject: Re: [PATCH] wincng: Added explicit memory overwrite feature to WinCNG backend

Re: [PATCH] wincng: Added explicit memory overwrite feature to WinCNG backend

From: Marc Hoersken <>
Date: Sun, 18 May 2014 19:12:26 +0200

Am 18.05.2014 19:02, schrieb Daniel Stenberg:
> This option only disables the random fill of the free data, it still
> overwrites memory - only with zeros instead. So it doesn't disable
> memory overwrite at all.

You are right, originally the patch included the following hunk:

+ if (len > 0)
+ _libssh2_wincng_random(buf, len);

instead of

+ if (len > 0)
+ _libssh2_wincng_random(buf, len);
+ if (len > 0)
+ memset(buf, 0, len);

I changed this during the latest rebase to always at least overwrite the
data with zeros.

> A question though: is there really anyone who suggests that it is
> safer to fill the data with random data rather than just zeros? I just
> can't see the point with doing such a slow operation and waste random
> seed on this.

I don't have specific expertise in this area, but I think a reason could
be that a compiler might be tempted to optimize memset(buf, 0, len) out.

Looking at the memory erasure procedure of the Tails operating system
[1], it seems like overwriting with zeros is enough:

> Actual memory erasure process
> The software that performs the actual memory erasure is sdmem, which
> is part of the secure-delete package. sdmem is called using the -v
> (verbose mode) option to give feedback to the user, as well as the
> -llf options: memory is only overwritten once with zeros; this is the
> fastest available mode, and is enough to protect against every memory
> forensics attack we know of.

Received on 2014-05-18