RE: When scrubbing secrets in memory doesn't work

[Michael Wojcik <Michael.Wojcik () microfocus com>]

> From: Jan Echternach [mailto:jan () goneko de]
> Sent: Monday, November 11, 2002 11:47 AM

> On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote:
> > Not to declare the intermediate storage for sensitive
> > data as 'volatile' is a coding flaw. An esily overlooked
> > one, yes, but nevertheless... Like forgetting to protect
> > critical code with semaphores.
>
> 'volatile' isn't sufficient to be safe.  In fact, there's no way to
> be sure that some C code doesn't leave copies of sensitive data
> around, because there's nothing in the C standard that forbids the
> compiler to keep copies of data.

True, and an important point, but a separate problem from the original one
(memset being eliminated by dead store optimization).  The problem you
describe here (and its variants, such as sensitive data remaining in
persistent storage, eg a swap partition) is entirely outside the scope of
the C standard.  So, for that matter, is the obvious race between using and
"scrubbing" the sensitive data.

Scrubbing is clearly no more than a best-effort attempt to make it more
difficult to retrieve sensitive data from memory.  I think it's of dubious
value, frankly, and this thread has probably prompted more discussion than
it warrants.  There is a portable way to prevent the dead-store-elimination
problem, but that's only one of scrubbing's many failings.

Michael Wojcik
Principal Software Systems Developer, Micro Focus