Clearing memory securely and reallocations

Question

Following the discussion here, if you want to have a secure class for storing sensitive information (e.g passwords) on memory, you have to:

• memset/clear the me

Answer 1

Without inspecting the details of memcpy_s, I suspect that what you are seeing is a temporary stack buffer used by memcpy_s to copy out small memory buffers. You can verify this by running in a debugger and seeing if LOLWUT shows up when viewing stack memory.

[The implementation of reallocate in Crypto++ uses memcpy_s when resizing memory allocations, which is why you would be able to find some number of LOLWUT strings in memory. Also, the fact that many different LOLWUT strings overlap in that dump suggest that it's a temporary buffer that's being reused.]

The custom version of memcpy that is just a simple loop does not require temporary storage beyond counters, so that would certainly be more secure than how memcpy_s is implemented.