When should SecureZeroMemory() be used?

Question

I found some sample code that looks like:

addrinfo hints;
SecureZeroMemory(&hints, sizeof(hints));

Is there a reason to use SecureZeroM

Answer 1

If (for example) the variable is not used anymore in the present scope (or in any other scenario where the compiler proves it doesn't change the internal coherence the program), the compiler could optimize away the zeroing statement. For security-critical memory, this could compromise the security of the application when it comes to external processes examining the memory of yours. SecureZeroMemory is written so that it does not get optimized away.

I can't tell for sure why this particular code snippet chooses that function over other methods of zeroing a memory range. It could be a misunderstanding of its purpose by the code's author or a misguided company policy.