bzero(3) - f29

1BZERO(3)                   Linux Programmer's Manual                  BZERO(3)
2
3
4

NAME

6       bzero, explicit_bzero - zero a byte string
7

SYNOPSIS

9       #include <strings.h>
10
11       void bzero(void *s, size_t n);
12
13       #include <string.h>
14
15       void explicit_bzero(void *s, size_t n);
16

DESCRIPTION

18       The  bzero()  function  erases  the  data  in the n bytes of the memory
19       starting at the location pointed to by s, by writing zeros (bytes  con‐
20       taining '\0') to that area.
21
22       The  explicit_bzero()  function  performs the same task as bzero().  It
23       differs from bzero() in that it guarantees that compiler  optimizations
24       will  not  remove  the erase operation if the compiler deduces that the
25       operation is "unnecessary".
26

RETURN VALUE

28       None.
29

VERSIONS

31       explicit_bzero() first appeared in glibc 2.25.
32

ATTRIBUTES

34       For  an  explanation  of  the  terms  used   in   this   section,   see
35       attributes(7).
36
37       ┌─────────────────┬───────────────┬─────────┐
38       │Interface        │ Attribute     │ Value   │
39       ├─────────────────┼───────────────┼─────────┤
40       │bzero(),         │ Thread safety │ MT-Safe │
41       │explicit_bzero() │               │         │
42       └─────────────────┴───────────────┴─────────┘

CONFORMING TO

44       The  bzero() function is deprecated (marked as LEGACY in POSIX.1-2001);
45       use memset(3) in new programs.  POSIX.1-2008 removes the  specification
46       of bzero().  The bzero() function first appeared in 4.3BSD.
47
48       The  explicit_bzero()  function is a nonstandard extension that is also
49       present on some of the BSDs.  Some other implementations have a similar
50       function, such as memset_explicit() or memset_s().
51

NOTES

53       The  explicit_bzero()  function  addresses a problem that security-con‐
54       scious applications may run into when using bzero():  if  the  compiler
55       can deduce that the location to zeroed will never again be touched by a
56       correct program, then it may remove the bzero() call altogether.   This
57       is  a  problem if the intent of the bzero() call was to erase sensitive
58       data (e.g., passwords) to prevent the possibility  that  the  data  was
59       leaked   by   an   incorrect   or   compromised   program.    Calls  to
60       explicit_bzero() are never optimized away by the compiler.
61
62       The explicit_bzero() function does not solve  all  problems  associated
63       with erasing sensitive data:
64
65       1. The explicit_bzero() function does not guarantee that sensitive data
66          is completely erased from memory.  (The same is  true  of  bzero().)
67          For example, there may be copies of the sensitive data in a register
68          and in "scratch" stack areas.  The explicit_bzero() function is  not
69          aware of these copies, and can't erase them.
70
71       2. In  some  circumstances, explicit_bzero() can decrease security.  If
72          the compiler determined that the variable containing  the  sensitive
73          data  could  be  optimized to be stored in a register (because it is
74          small enough to fit in a register, and no operation other  than  the
75          explicit_bzero()  call  would  need to take the address of the vari‐
76          able), then the explicit_bzero() call will  force  the  data  to  be
77          copied  from  the register to a location in RAM that is then immedi‐
78          ately erased (while the copy in the  register  remains  unaffected).
79          The problem here is that data in RAM is more likely to be exposed by
80          a bug than data in a register, and thus  the  explicit_bzero()  call
81          creates a brief time window where the sensitive data is more vulner‐
82          able than it would otherwise have been if no attempt had  been  made
83          to erase the data.
84
85       Note  that declaring the sensitive variable with the volatile qualifier
86       does not eliminate the above  problems.   Indeed,  it  will  make  them
87       worse, since, for example, it may force a variable that would otherwise
88       have been optimized into a register to instead be maintained  in  (more
89       vulnerable) RAM for its entire lifetime.
90
91       Notwithstanding the above details, for security-conscious applications,
92       using explicit_bzero() is generally preferable to not  using  it.   The
93       developers  of  explicit_bzero()  anticipate that future compilers will
94       recognize calls to explicit_bzero() and take steps to ensure  that  all
95       copies  of the sensitive data are erased, including copies in registers
96       or in "scratch" stack areas.
97

COLOPHON

102       This page is part of release 4.16 of the Linux  man-pages  project.   A
103       description  of  the project, information about reporting bugs, and the
104       latest    version    of    this    page,    can     be     found     at
105       https://www.kernel.org/doc/man-pages/.
106
107
108
109Linux                             2017-09-15                          BZERO(3)