Gentoo Archives: gentoo-dev

From: Joshua Kinard <kumba@g.o>
To: Gentoo-dev <gentoo-dev@l.g.o>
Subject: [gentoo-dev] Akamai secure memory allocator for OpenSSL?
Date: Sun, 13 Apr 2014 20:44:27
1 So one of the side-discussions happening after Heartbleed was the fact that
2 OpenSSL has its own memory allocator code that effectively mitigates any C
3 library-provided exploit mitigations (as discussed on the openbsd-misc ML at
4 [1] and Ted Unangst's blogs at [2] and [3]). This is partially why there's
5 so much "interesting" data to be sniffed from a server's memory via the
6 heartbleed response packets -- that memory wasn't really initialized to
7 random data or zero'd upon malloc(), nor garbage-collected upon free().
9 Taking place over on the openssl-users ML, someone from Akamai posted a new
10 secure memory allocator patch[4][5] that they have been using in production
11 for about a decade. That patch was cleaned up, diff'ed against
12 openssl-1.0.1g, and posted to openssl-dev here:
15 It basically provides a secure memory area protected by guard pages for
16 sensitive data, like RSA private keys, so that if another Heartbleed-like
17 event occurs, things won't be as bad. Hopefully...
19 Is this something we want to look at adding to our openssl copy via an
20 optional USE flag (default off)?
22 Refs:
23 1.
24 2.
25 3.
26 4.
27 5.
29 --
30 Joshua Kinard
31 Gentoo/MIPS
32 kumba@g.o
33 4096R/D25D95E3 2011-03-28
35 "The past tempts us, the present confuses us, the future frightens us. And
36 our lives slip away, moment by moment, lost in that vast, terrible in-between."
38 --Emperor Turhan, Centauri Republic


Subject Author
Re: [gentoo-dev] Akamai secure memory allocator for OpenSSL? Patrick Lauer <patrick@g.o>
Re: [gentoo-dev] Akamai secure memory allocator for OpenSSL? "Tiziano Müller" <dev-zero@g.o>