Is it necessary to clean up stack contents?

Question

We are under a PCI PA-DSS certification and one of its requirements is to avoid writing clean PAN (card number) to disk. The application is not writing such information to disk, but if the operating system (Windows, in this case) needs to swap, the memory contents is written to page file. Therefore the application must clean up the memory to prevent from RAM capturer services to read sensitive data.

There are three situations to handle:

• heap allocation (malloc): before freeing the memory, the area can be cleaned up with memset
• static or global data: after being used, the area can be cleaned up using memset
• local data (function member): the data is put on stack and is not accessible after the function is finished

For example:

void test()
{
  char card_number[17];

  strcpy(card_number, "4000000000000000");
}

After test executes, the memory still contains the card_number information.

One instruction could zero the variable card_number at the end of test, but this should be for all functions in the program.

memset(card_number, 0, sizeof(card_number));

Is there a way to clean up the stack at some point, like right before the program finishes?

Answer 1

Cleaning the stack right when the program finishes might be too late, it could have already been swapped out during any point at its runtime. You should keep your sentitive data only in memory locked with VirtualLock so it does not get swapped out. This has to happen before said sensitive data is read.

There is a small limit on how much memory you can lock like this so you can propably not lock the whole stack and should avoid storing sensitive data on the stack at all.