On Tue, 17 Dec 2002, Christopher Kings-Lynne wrote:
> Hi guys,
>
> Just a thought - do we explicitly wipe password strings from RAM after using
> them?
>
> I just read an article (by MS in fact) that illustrates a cute problem.
> Imagine you memset the password to zeros after using it. There is a good
> chance that the compiler will simply remove the memset from the object code
> as it will seem like it can be optimised away...
Bugtraq discussion claims that GCC >=3 are not affected by this. Variables
which are affected by code that cannot be optimised away should be marked
volitile anyway.
Gavin