Vulnerability Development mailing list archives
Re: Software leaves encryption keys, passwords lying around in memory
From: Syzop <syz () dds nl>
Date: Wed, 30 Oct 2002 18:14:16 +0100
Hi, Peter Gutmann wrote:
When compiled with any level of optimisation using gcc, the key clearing call goes away because of dead code elimination (see the MSDN article for more details on this, which uses VC++ to get the same effect).
I was unable to reproduce this with gcc 2.95.4. I can clearly find the zeroing back in the assembler output. Not optimized: [..] pushl $16 pushl $0 leal -16(%ebp),%eax pushl %eax call memset Optimized (-O3): [..] movl $0,-16(%ebp) movl $0,-12(%ebp) movl $0,-8(%ebp) movl $0,-4(%ebp) Cya, Bram Matthys. == clearit.c (just copy/pasted from you + made encrypt "usefull") == #include <stdio.h> #include <stdlib.h> int encrypt(char *key) { int i; for (i=0; i < strlen(key); i++) { printf("bla %c\n", key[i]); } return 1; } int main() { char key[16]; strcpy( key, "secretkey" ); encrypt(key); memset(key, 0, 16); } == commands == gcc -S -o clearit.asm clearit.c gcc -S -o clearit.asm.optimized clearit.c -O3
Current thread:
- Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Syzop (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Pavel Kankovsky (Oct 31)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Frank Knobbe (Oct 31)
- <Possible follow-ups>
- Re: Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 31)