The safer SecureZeroMemory()

By Paladion

September 8, 2005

A few months ago, we discussed how memory viewers could be used to see the residues of passwords in memory. In a recent issue of Palisade, Priyali explains how the enhanced SecureZeroMemory() function is useful to solve this problem in .Net applications.

The ZeroMemory() function was available in Visual C++ to fill blocks of memory with zeroes, say the password variable after authentication, or credit card details after authorization. That, however, wasn't secure enough. The ZeroMemory function could easily get optimized out by the compiler, if the block of memory it filled was never used again. The compiler would observe that the memory being modified was never referenced again, and so silently ignore the call to ZeroMemory.

SecureZeroMemory fixes that problem. It ensures that the memory is filled with zeroes even if the memory is never used again.

Tags: Uncategorized