Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site mit-eddie.MIT.EDU Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!barmar From: barmar@mit-eddie.MIT.EDU (Barry Margolin) Newsgroups: net.unix-wizards,net.sources.bugs Subject: Re: What happens during an unlink(2) Message-ID: <1825@mit-eddie.MIT.EDU> Date: Fri, 2-May-86 01:53:26 EDT Article-I.D.: mit-eddi.1825 Posted: Fri May 2 01:53:26 1986 Date-Received: Sun, 4-May-86 05:39:57 EDT References: <947@kitty.UUCP> <403@ukecc.UUCP> <979@kitty.UUCP> <422@ukecc.UUCP> <238@chronon.chronon.UUCP> Reply-To: barmar@mit-eddie.UUCP (Barry Margolin) Organization: MIT, EE/CS Computer Facilities, Cambridge, MA Lines: 28 Keywords: Disk blocks sometimes get zeroed Xref: watmath net.unix-wizards:17919 net.sources.bugs:823 In article <238@chronon.chronon.UUCP> eric@chronon.UUCP (Eric Black) writes: >Some unitory systems do, indeed, zero out disk blocks when de-allocated, >and similarly clear memory when freed. Any system you sell to customers >with concerns about security will require this. Check out DOD requirements >for secure systems in the "Department of Defense Trusted Computer >System Evaluation Criteria", publication CSC-STD-001-83 (my copy is >dated March 1985) for this and other interesting features... I don't have my copy of the Criteria handy, but I don't believe that it requires zeroing of freed disk blocks (I'm pretty sure that we don't zero freed disk blocks on Multics, and we are rated B2). What it requires is that the old data not be accessible upon reuse. A freed disk block will never be paged into memory, and when it is reused it will be completely overwritten by the memory frame being paged out. And an unused physical memory frame will be zeroed before being allocated into the page table (but not if the frame is being allocated to hold a disk page being read in). Working from memory, I think the only requirement about zeroing has to do with removable media. The system must be able to completely destroy the data upon request. For example, we have a tape drive operation (called "data security erase", I think) that overwrites every record of the tape several times, to make sure that that no residual data can be detected. -- Barry Margolin ARPA: barmar@MIT-Multics UUCP: ..!genrad!mit-eddie!barmar