Vulnerability Development mailing list archives
Re: Software leaves encryption keys, passwords lying around in memory
From: pgut001 () cs auckland ac nz (Peter Gutmann)
Date: Thu, 31 Oct 2002 18:08:14 +1300 (NZDT)
Dan Kaminsky <dan () doxpara com> writes:
Yes, but here you *hope* the compiler has the same semantics for "volatile" that you do. The "keys to the kingdom"(sufficient context to zap your memset) are left in place; you just hope the compiler bothers to ignore it. I'd rather *know*, at least at the same level of confidence I have that I know anything else about the compiler.
This is what makes it such a tough problem, and why it may need compiler-level assistance. While I was looking for the version of gcc which removes the memset() (it appears to be a 3.x-only thing, but I can't get to the machine with 3.x on it at the moment) I noticed that every version of gcc I tried produced different output for the test source code. You really can't rely on a kludge which just happens to work for one version of the compiler (and you have to be careful when reporting a "problem" which only affects one version of the compiler :-). Peter.
Current thread:
- Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Syzop (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Pavel Kankovsky (Oct 31)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Frank Knobbe (Oct 31)
- <Possible follow-ups>
- Re: Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 31)