"Empower yourself, learn to code, there's too many charlatans on this island!" - Thats the motto of hackers.mu. Indeed, there are many people everywhere calling themselves professionals where the fact is that they are merely wearing a mask showing off in the public. I would also claim that no one is perfect in the field of It and Security, however, acceptance of oneself and move on to another stage is the real goal.
What and why Signal? I posted an article yesterday to elaborate on the application. Well, Hackers.mu is not only promoting Signal but many free and open source security softwares such as Tor, Bitcoins and many others to liberate each and everyone from this sick society where governments are spying on your personal stuffs. I made some research on Signal and conclude that this is indeed amazing!
With the help of Logan, member and contributor of hackers.mu i made an audit of the Signal code and noticed that some improvements can be made on one of the library. A remote hacker can probe the memory and harvest the sensitive information.
The logic - Data (example could be cryptographic keys) in memory is not always needed because someone can look for ways to exploit the data. An analogy is that it's like washing your keyboard after entering your password so that people cannot collect your fingerprints to steal it. In other words, a code execution can be done at the memory level to penetrate your system. To mitigate this attack, zeroing buffers which contained sensitive information is an exploit mitigation technique. Let me take an example: Imagine you are a hacker and you can see what is in the RAM of your victim. Then you can see passwords and everything else. Then its better to delete them if they are not going to be used or rather fill it in with wrong passwords to trick the hackers.
In a technical term, the idea is to overwrite the variable when you are about to get rid of it so that other programs cannot detect what was there. The key is not to have the secret data present in the memory longer than necessary. However, what you overwrite might matter, but what is overwritten is the key to keep it secret. So lets see how to put Zeroes in RAM to erase what was there before. Keep in mind, it has nothing to do with overflows.
Do check out the pull requests and commit at https://github.com/WhisperSystems/libaxolotl-c/pulls