Security Policy Enhancement: Zero Pixel Initialization
Posted: 2017-05-21T06:09:09-07:00
As of ImageMagick 7.0.5-5 and 6.9.8-4, you can allocate the pixel cache and some internal buffers with anonymous memory mapping rather than from heap. As a consequence, the pixels, and certain internal buffers, are initialized to zero. You can also securely delete any temporary files for increased security. The value is the number of times to shred (replace its content with random data before deleting) a temporary file. As an example, add this to your policy.xml configuration file:
Code: Select all
<policy domain="system" name="memory-map" value="anonymous"/>
<policy domain="cache" name="memory-map" value="anonymous"/>
<policy domain="system" name="shred" value="1"/>