this is a sincere but neophyte question, i do not mean it in a snarky
way, but is anything written in C++ able to be considered safe or
secure? or are the definitions of safe and secure meant to be taken
relative to the fact that it is all written in C++?

thank you.

For most of you on cap-talk this will probably all be old/known stuff, but
to make sure I communicate the urgency of my plea for a peer review of the
code of this library, let me draw a dense context.

Some years ago I wrote a set proof of concept implementation of a set of
cooperating least authority providing user space file-systems for AppArmor
based Linux systems. This proof of concept was/is called MinorFS. For some
context, here is a Linux Journal article I wrote on this system 5 years
ago.

http://www.linuxjournal.com/magazine/minorfs

At the core of these file systems was a sparsecap (or password capability
if you prefer that term) file-system called capfs. This file-system was
based on an sqlite database with sparsecap to path mappings.

Some time later, I came up with an alternative hash based algorithm that
could possibly do away with the need of a database for capfs. After asking
feedback on this algorithm on the cap-talk mailing list, David Barbour
suggested I' d use HMAC instead of just SHA.

http://www.eros-os.org/pipermail/cap-talk/2012-February/015332.html

Resulting from this feedback, and driven by the idea that a library for
sparsecaps that give access to a DAG shaped authority structure might be
usefull for other things than just a rewrite of Minorfs::capfs, I recently
created a C++ (c++11) library that implements the algorithm, using
crypto++ for its hmac/sha2 crypto primitives.

https://github.com/pibara/Rumpeltreepp

This library basically implements the algorithm described here:

http://minorfs.wordpress.com/2014/02/20/rumpelstiltskin-and-his-children/

http://minorfs.wordpress.com/2014/03/21/rumpelstiltskin-and-his-children-part-2/

Given the fact that my crypto knowledge and my knowledge regarding
implementation and usage pitfalls is relatively limited, I desperately
need a peer review on my Rumpleltree++ source code. When the file-system
in finished, the logic in this library will become a pivotal part of the
TCB of any system built using the full set of file systems that will be
layered on them together with AppArmor. A rewrite of the original MinorFS
that wil aim at retrofitting the taming of shared mutable file system
provided by MinorFS to non MinorFS aware applications in a way that should
help mitigate the effects that Trojans might have in a major way:

http://www.slideshare.net/RobMeijer3/ohm2013-trojans-slides

Thus, if anyone would be able and willing to contribute a peer review to
this library, you will be playing a crucial role in the ultimate goal of
creating a trojan free environment.

Tnx,

Rob

So would you say in-process zeroing of secrets after usage to protect
against malloc attacks has become totally unneeded?