[MLton] Writing memory to disk ...

Wesley W. Terpstra terpstra@gkec.informatik.tu-darmstadt.de
Wed, 24 May 2006 17:40:46 +0200


On May 24, 2006, at 5:15 PM, Henry Cejtin wrote:
> Note, MLton can't really get more than about 2 gig in the nmap  
> address space.

So, then why the work around? Or do you really mean total, and not  
contiguous?

> Re passwords on the disk, the right way to go to eliminate most of  
> the danger
> is that you create the file, then unlink, then write.

I'm sorry, but this is definitely *not* ok. Sensitive information is  
never supposed to touch disk. It's not about defending against root,  
it's about defending against theft, seizure, etc. You can tell the  
kernel some areas may not be swapped out, but you can't tell this to  
MLton. Crypto libraries like openssl make sure private keys don't get  
paged out. Yet if linked into a MLton executable, that becomes  
irrelevant.

Then too, there's my concern that if you fill up /tmp, software can  
start to break. At least on Mac OS, I've lost my desktop settings  
whenever the disk was filled. No fun, I assure you. Yes, it's an osx  
bug, but it's one I have to live with.

And again, it's not something a person would reasonably expect a  
program to do! Any MLton compiled program might do this...

> Any way, I definitely need it, but an option might be ok.

What do you use it for?
I don't object to it as long as it's off by default and the path  
isn't hard-coded. One could actually kill to birds with one stone by  
having the option also specify the path. eg: ./myprogram @MLton swap- 
file /tmp/xxxx -- ...