Is explicitly clearing/zeroing sensitive variables after use sensible?

Question

I have noticed some programs explicitly zero sensitive memory allocations after use. For example, OpenSSL has a method to clear the memory occupied by an RSA key:

\"

Answer 1

On a Linux system, is the memory cleaned or sanitised before being allocated to another program?

It depends, the details are found in the mmap man page:

MAP_UNINITIALIZED (since Linux 2.6.33)

          Don't clear anonymous pages.  This flag is intended to improve
          performance on embedded devices.  This flag is only honored if the
          kernel was configured with the CONFIG_MMAP_ALLOW_UNINITIALIZED option.
          Because of the security implications, that option is normally enabled
          only on embedded devices (i.e., devices where one has complete control
          of the contents of user memory).

---

Zeroing the memory before returning it to the OS is iffy at best, what happens if your process was killed by a signal before it had a chance to do so? Configure the kernel to perform the sanitization for you.