Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Oct 1997 00:15:03 -0600 (MDT)
From:      Wes Peters <softweyr@xmission.com>
To:        Brian Haskin <haskin@ptway.com>
Cc:        chat@freebsd.org
Subject:   Re: C2 Trusted FreeBSD?
Message-ID:  <199710160615.AAA12386@obie.softweyr.ml.org>
In-Reply-To: <344420F8.E4B912C7@ptway.com>
References:  <199710150043.KAA00590@word.smith.net.au> <344420F8.E4B912C7@ptway.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Brian Haskin writes:
 > I believe that Mr. Peters is confusing the standard for erasing
 > something that has been written to disk with this. Although you can do
 > the same with ram (as far as recovering previously stored information) I
 > don't think that they make you write over it a hundred time for each
 > malloc free sequence.

No, not confusing, just asserting that they are the same.  Of course,
when I worked in that industry, the computer I was working on had
plated-wire memory and was *more* persistent than our drum storage.

If you stop thinking of "RAM" and start thinking of "allocated page"
you'll see why, even in a modern system, the requirements for clearing
memory haven't been relaxed too much.  You have to scrub data off the VM
pages on the swap device before returning them to the pool, or before
allocating them to a process.  I assume you could probably get by with a
bzero for ram and overwrite for disk pages, if you can get whatever RAM
you are using certified that a single overwrite will erase the memory
sufficiently to prevent the next process from gleaning any useful
information.


Yes, drum storage and plated-wire memory.  They're still running today,
and you'd *all* better hope they never screw up. ;^)  And yes, when we
deallocated a block of memory that had held classified data, we
overwrote it 200 times.  This was an A-level secure system, and had some
features you won't find on anything you're likely to touch.  Our comm
links, for instance, consisted of sealed wires inside a conduit filled
with pressurized oil.  In order to physically tap the wire, you had to
puncture the conduit, which would cause a drop in oil pressure, which
turned off the comm link at both ends and set off alarms all over the
country.  Literally.  If you think that's funky, you should see the
specification for Anti-Jam transmission mode.  ;^)

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710160615.AAA12386>