[TALK] Proving fundamental Unix guarantees

[Peter Jeremy]

On 2003-Jun-30 11:44:16 +1000, Peter Jeremy <peter.jeremy at alcatel.com.au> wrote:
>In response to a query, one of our Unix vendors has stated
>"OS-name-deleted-to-protect-the-guilty does not guarantee that all
>memory given to a program is necessarily initialised" and "there are
>regions known as BSS which hold data (i.e. program variables) which
>ARE NOT INITIALISED.  What this means is that these variables will
>hold whatever was in that memory location before it was allocated to
>them. ...  This is designed behaviour".

Based on the replies I have received, maybe I should have included
more information.

We have bumped into a problem where a warm reboot (eg "shutdown -r")
gives different behaviour to a cold reboot (eg "shutdown -h"/boot).
According to the vendor, the only difference is that in the latter
case physical RAM will be initialised, whereas in the former case it
retains the previous values.  I have suggested that this appears to
indicate that the kernel is using memory without initialising it -
which is a bug in the kernel.  The vendor has suggested that the
kernel passes memory to the application without initialising it and
therefore it is a bug in the application.

Whilst I agree that there may be bugs in the application, having a
kernel pass uninitialised memory to a userland process is a major
security hole.  (Want another process to be given a copy of your
su/pgp/ssh processes memory image?)  I have confirmed that as far as I
can determine (and as expected), all memory is initialised before
being passed to the application.

Definitely the C standards require uninitialised static variables
(which are normally stored in BSS) to be initialised as if they were
assigned zero (which is zero on most systems) - though the mechanism
isn't specified.  I was hoping that some of the POSIX or SVID
standards might say some words on the the kernel/userland interface.

Peter