[cryptography] Just how bad is OpenSSL ?

Solar Designer solar at openwall.com
Tue Oct 30 11:28:59 EDT 2012


On Tue, Oct 30, 2012 at 11:29:17AM -0400, Thierry Moreau wrote:
> Isn't memory-space cleanse() isolated from file system specifics except 
> for the swap space?

Normally yes, but the swap space may be in a file (rather than a disk
partition), or the swap partition may be in a virtual machine, which may
reside in a file.

> Is the SSD technology used for swap state in any of the OS distributions?

It depends on how the OS is installed.  Plenty of installs have swap on SSD.

> Assuming that cleanse() as to deal only with L1 CPU cache, L2 CPU cache, 
> main memory, and swap space, I considered a periodical "swap space 
> sanitation" operation to be useful: add a new swap space partition, 
> remove an existing one, sanitize the removed one (low-level, below file 
> system), put it back into the available set of partitions. I did not 
> experiment in practice.
> 
> But that "partition sanitation" strategy ought to be part of an "open 
> HSM" type of project.

What kind of HSM is that where you expect to need swap at all?  Just
disable swap, unless you're using an OS that can't live without swap.

Alexander



More information about the cryptography mailing list