OpenSSL has pretty good support for HSMs in the form of their ENGINE API. It seems like it would be possible to use this layer to move all key handling and crypto operations out of the process that was dealing with TLS. Process isolation seems like a much better way of getting this kind of security than weird allocator tricks.
gosh, i see this "weird allocator trick" to be exceptionally insightful as to the possible attacks that and likely vulnerabilities that may be introduced into code.
One of the biggest issues for a development team isn't how to do something, but how to do something so that someone (who has taken over the project) won't screw it up in 10 years when you and all your cohorts have left and are island hoping and coconut drink doing.
