-1

In my understanding the problem with Heartbleed was the access to memory of previous requests? Isn't it possible to wipe the memory after using it? To use different memory spaces for each request, that are not accessible? If the web server (e.g. apache or nginx) is started with multiple processes, are they still sharing memory containing user information?

My question in short: Is it possible to configure Apache/Nginx/others to use a more secure model of memory access?

Performance reduction wouldn't matter since Heartbleed 2.0 will eventually come and then you just have a quick laugh instead of lots of work.

Ikarus
  • 43
  • 6
  • Don't try to fix what you don't know about, patch your `openssl` and hope for the best – bjhaid Apr 19 '14 at 19:46
  • I don't believe burying your head in the sand is a valid strategy for anything, otherwise I wouldn't have bothered to ask – Ikarus Apr 19 '14 at 20:26
  • Only a proof of concept at the moment, unfortunately, but a memory safe C compiler is possible: [Presentation](https://www.youtube.com/watch?v=2ybcByjNlq8), [PDF](http://blog.andreas.org/static/30c3-buffer-overflows.pdf) – Perseids Apr 20 '14 at 08:07
  • Sounds reasonable to catch it on compiler level. Was wondering more about the current situation, can the processes access each others memory? can i prevent that? or is a buffer overread always possible? – Ikarus Apr 20 '14 at 12:34

1 Answers1

1

In Apache you can use the following two commands:

WipeMemoryAfterUse = True
SeperateProcessMemory = True
mucus
  • 11
  • 1