Compile-time flag causing GC to zero evacuated memory
The memory
package includes a ScrubbedBytes
type that scrubs (zeros) the bytestring upon free via a finalizer. The intent with this type is to achieve a common requirement in the cryptographic world that key material is zeroed once it is no longer needed.
Sadly, this technique is not useful for many reasons:
- Consumers often take bytestrings
- Key material often exists as other types such as bytestring, Text in case of passwords>>=KDF, or Integer in the case of home-grown RSA operations.
- Scrubbing via a finalizer is clumsy, verbose, and error prone.
memory
's scrubbing appears to be related to or even have caused a bug with a related library a while back.
Note I am rather keen on not arguing about the suitability of Haskell for cryptographic purposes. That's an orthogonal topic to the value of zeroing freed memory.
I would like GHC to include a flag (--zero-evacuated
?) that will cause evacuated memory to be zeroed by the GC. This functionality already exists as a debugging feature to help recognize unused (or misused) memory so I anticipate the actual RTS code change to be minimal. The main question is if GHCHQ agrees this feature is valuable enough to include another flag.
Thoughts?
Trac metadata
Trac field | Value |
---|---|
Version | 8.1 |
Type | FeatureRequest |
TypeOfFailure | OtherFailure |
Priority | normal |
Resolution | Unresolved |
Component | Compiler |
Test case | |
Differential revisions | |
BlockedBy | |
Related | |
Blocking | |
CC | |
Operating system | |
Architecture |