UCF STIG Viewer Logo

The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16793 APP3230 SV-17793r1_rule ECCR-1 ECCR-2 ECCR-3 Medium
Description
Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the application for sensitive information.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17781r1_chk )
If the application does not contain sensitive or classified information this check is not applicable.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

Ask the application representative to demonstrate how the application clears and releases memory blocks. Microsoft Visual C++ provides SecureZeroMemory that will not be optimized out of code for clearing sensitive and classified data.

1) If the application releases objects before clearing them, it is a finding.
Fix Text (F-17011r1_fix)
Clear memory blocks used for storing sensitive and classified data, before release.