From owner-freebsd-chat Wed Oct 15 23:08:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA07586 for chat-outgoing; Wed, 15 Oct 1997 23:08:29 -0700 (PDT) (envelope-from owner-freebsd-chat) Received: from obie.softweyr.ml.org ([199.104.124.49]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA07577 for ; Wed, 15 Oct 1997 23:08:21 -0700 (PDT) (envelope-from wes@xmission.com) Received: (from wes@localhost) by obie.softweyr.ml.org (8.7.5/8.6.12) id AAA12386; Thu, 16 Oct 1997 00:15:03 -0600 (MDT) Date: Thu, 16 Oct 1997 00:15:03 -0600 (MDT) Message-Id: <199710160615.AAA12386@obie.softweyr.ml.org> From: Wes Peters To: Brian Haskin CC: chat@freebsd.org Subject: Re: C2 Trusted FreeBSD? In-Reply-To: <344420F8.E4B912C7@ptway.com> References: <199710150043.KAA00590@word.smith.net.au> <344420F8.E4B912C7@ptway.com> Sender: owner-freebsd-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Haskin writes: > I believe that Mr. Peters is confusing the standard for erasing > something that has been written to disk with this. Although you can do > the same with ram (as far as recovering previously stored information) I > don't think that they make you write over it a hundred time for each > malloc free sequence. No, not confusing, just asserting that they are the same. Of course, when I worked in that industry, the computer I was working on had plated-wire memory and was *more* persistent than our drum storage. If you stop thinking of "RAM" and start thinking of "allocated page" you'll see why, even in a modern system, the requirements for clearing memory haven't been relaxed too much. You have to scrub data off the VM pages on the swap device before returning them to the pool, or before allocating them to a process. I assume you could probably get by with a bzero for ram and overwrite for disk pages, if you can get whatever RAM you are using certified that a single overwrite will erase the memory sufficiently to prevent the next process from gleaning any useful information. Yes, drum storage and plated-wire memory. They're still running today, and you'd *all* better hope they never screw up. ;^) And yes, when we deallocated a block of memory that had held classified data, we overwrote it 200 times. This was an A-level secure system, and had some features you won't find on anything you're likely to touch. Our comm links, for instance, consisted of sealed wires inside a conduit filled with pressurized oil. In order to physically tap the wire, you had to puncture the conduit, which would cause a drop in oil pressure, which turned off the comm link at both ends and set off alarms all over the country. Literally. If you think that's funky, you should see the specification for Anti-Jam transmission mode. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com