KPasswordEdit patch (was Re: new widgets...)
Neil Stevens
neil at qualityassistant.com
Sun Sep 29 03:29:26 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday September 28, 2002 07:11, Malte Starostik wrote:
> It's not only about writing it to swap/disk (that was what the mlock
> patch would do, but only for root). Think about a multi-user system with
> an OS that doesn't guarantee memory is zeroed-out. User a enters a
> password and the process that provided the password edit exits. User b
> was monitoring this and allocs huge amounts of memory, in the hope he
> gets the physical memory user a had before. If he succeeds, he can read
> the password. Granted, it takes some luck but it's possible.
But that still fails. Or are you also clearing the memory used by X (for
input of the password) and by your network stream (for output of the
password)?
If you assume an insecure OS, you lose no matter what your code does. But
if you assume a secure OS, then you don't need to resort to cheap tricks
like these. Either way, it's a waste of time.
- --
Neil Stevens - neil at qualityassistant.com
"I always cheer up immensely if an attack is particularly wounding
because I think, well, if they attack one personally, it means they
have not a single political argument left." - Margaret Thatcher
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9lmWLf7mnligQOmERAnf6AJ0VoK/KDkEGAxQrYxazmM8pdn5zxQCfb6JX
wsTEFZQuv1NXwG+3xByq11c=
=FRN2
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list