New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create doesn't zero the struct #30
Comments
Heh, I was looking into this just now while typing a reply to your email. I think it's better to be safe rather than sorry and specifically zero out structures created via |
I assume this can be closed, now that we have |
The problem is that it isn't cleared by default. Perhaps we should make |
I don't see the benefit of zeroing it out - I usually need to fill the byte vector with some data (which I control), maybe a If you're concerned about confidential data, I don't think the |
It's not just key material that's confidential (though manually erasing that at free time might be a good idea anyway). Any information leak is a potential problem. It's also a reliability problem, since you tend to get zeroes when testing but other values after things have been running for a while. In my opinion, all sources of uninitialised data should be marked unsafe. We should probably patch It would be good if there was a safe way to create and initialise a cstruct. e.g. in mirage-qubes I have a function:
Perhaps cstruct could auto-generate such functions? |
This improves the situation described in mirage#30 Signed-off-by: David Scott <dave.scott@docker.com>
The new `create_unsafe` function can be used if you want to trade safety for speed. Fixes mirage#30
The new `create_unsafe` function can be used if you want to trade safety for speed. Fixes mirage#30
The structure returned by create isn't initialised. In a Mirage service, it might contain confidential data (e.g. TLS key material), which could easily be leaked.
Possibly this should be fixed in OCaml's Bigarray (and String.create), but at the very least, the documentation should mention this.
The text was updated successfully, but these errors were encountered: