[fpc-pascal] Processing passwords etc.

[Mark Morgan Lloyd]

Jonas Maebe wrote:
> On 11 Apr 2014, at 09:36, Mark Morgan Lloyd wrote:
> 
>> Is my understanding correct that when a string or a dynamic array is extended it might result in its existing content being released to the heap?
>>
>> If so, is it possible to ensure that this is zeroed or randomised first, without having to do it manually?
> 
> You can install a memory manager that does this for all (de)allocations and then calls through to the original memory manager. There is no way to only do this for strings and dynamic arrays, and I don't think it would be a good idea to do so. Not all passwords are strings, so that would probably mostly give a false sense of security.

Using a memory manager would reliably wipe strings etc. when reallocated 
(i.e rather than when an assignment didn't trigger reallocation). On the 
other hand it would have the overhead of also overwriting blocks that 
the user knew were being freed and could audit first, as well as stuff 
that was being freed as part of the RTL operation.

It's that latter case- where the RTL is copying something without the 
user being aware- that I think is significant.

-- 
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]