N2485: Add explicit_memset() as non-optional part of <string.h> to C2X

Document Number: N2485
Submitter: Aaron Peter Bachmann
Submission Date: 2020-02-19
Add explicit_memset() as non-optional part of <string.h> to C2X

Summary

explicit_memset() or something equivalent is useful to securely set or erase memory. In Annex K there is memset_s() but Annex K is optional. Since most C-libraries chose not to implement Annex K the option is less useful than desirable.

Prior work

http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1381.pdf proposed memset_s() and it is currently part of Annex K.
OpenBSD, NetBSD, Minix, musl have explicit_memset()

glibc has explicit_bzero()
Other systems provide (mostly) equivalent alternatives, e. g.
```
memzero_explicit(), SecureZeroMemory()
```

Discusion

explicit_memset() shall behave like memset(), with the added stipulation that the call to explicit_memset() is guaranteed not to be optimized away.

We prefer ...memset...() over ...zero...() since it allows to set an arbitrary value not just

(unsigned
        char)0

The name explicit_memset() is used more often than memset_explicit(), so stick with that.

Given the standard uses '_explicit' as suffix already i. e. - atomic_..._explicit() - introducing

void












        *memset_explicit(void *s, int c, size_t len)

instead of

void









        *explicit_memset(void *s, int c, size_t len)

seems a reasonable alternative.

In order to make explicit_memset() even more useful, a compiler may choose to erase local (partial) copies of *s as well. That is an issue of the quality of the implementation.

http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1969.htm states: "Therefore, we propose that Annex K be either removed from the next revision of the C standard, or deprecated and then removed."

Proposed wording

After

7.24.6.1 The memset function

...

add

7.24.6.2 The explicit_memset function

Synopsis

#include <string.h>

void *explicit_memset(void *s, int c, size_t n);

Description

The explicit_memset function copies the value of c (converted to an unsigned char) into each of the first n characters of the object pointed to by s. Unlike memset, any call to the explicit_memset function shall be evaluated strictly according to the rules of the abstract machine as described in (5.1.2.3). That is, any call to the explicit_memset function shall assume that the memory indicated by s and n may be accessible in the future and thus contains the values indicated by c.