Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Leftover data in other files (was Re: Sun StarOffice documents

From: jsl2 () JEDITECH COM
Date: Tue, 5 Sep 2000 20:45:04 -0700
On Tue, 5 Sep 2000 pedward () webcom com wrote:


Windows NT, as well as any other decent OS, will clear RAM and disk buffers
before giving them to a user-mode app. I would be surprised if Linux suffered
from this problem.


Umm, ever written a program and used a variable that was uninitialized?
That's what it's called; unitialized variables.  This is a common mistake


I think you brought up two points in your message, so let me answer each in
turn:

- After malloc(), an application can always end up with "junk" it created
earlier. For example, it could be reusing its own heap. (Kurt Seifried's
message indicated to me the leftover data was not the result of what he did
in StarOffice)

- Some OS's sanitize (clear) RAM before handing it to an app. On such an OS,
applications will never receive RAM that containes junk from another app.

Examples of OS's that clear RAM are Windows NT, Solaris, and I expect, other
UNIX'es.  OS's that do NOT clear RAM include Windows 9x, DOS, etc.

Same idea can be extended to disk buffers, and ultimately, files on a disk.

Somebody (sorry, I deleted the e-mail too quickly) pointed out that clearing
RAM is costly. That is true; but for security purposes, the OS must do that
to minimize information leaks. RAM can be sanitized by the idle thread -
there's usually some idle time even in busy servers.



I have long wanted to write a program that just allocates random chunks of memory
and searches for data, such as DES password strings.

....

The searching for data on a unix machine is elementary.  You can use mmap
or malloc to allocate memory, then scan it and deallocate the memory.


        You shouldn't find anything of value on any recent UNIX, Windows NT,
etc.  Unless you did that in kernel mode. For example, I just tried it on a
busy Solaris 2.7 workstation (RAM is filled with lots 'o apps) and got
nothing but clear memory. Extend same idea to swapfile pages.

However, bugs and mis-features do happen. :-)  If you find a system on which
that works, let us know!

Historical note: Remember the big scare in the early 90's about Prodigy
on-line service... people reported seeing parts of their private documents in
Prodigy cache files, etc.  IIRC it was caused by this same problem - disk
clusters weren't cleared when those sparse files were created.
There was a lot of FUD going around back then...

-James
Previous By Date Next
Previous By Thread Next

Current thread: