Vulnerability Development mailing list archives
Re: Software leaves encryption keys, passwords lying around in memory
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 31 Oct 2002 10:56:33 -0600
On Wed, 2002-10-30 at 10:11, Peter Gutmann wrote:
When compiled with any level of optimisation using gcc, the key clearing call goes away because of dead code elimination (see the MSDN article for more details on this, which uses VC++ to get the same effect). While you can kludge enough stuff around a custom memory-clear call to fool the optimiser (hacks with 'volatile', touching the memory after it's cleared and hoping the optimiser is fooled, etc etc) there's no guarantee that it'll work for anything but the compiler(s) you happen to test it with - any future enhancement to the optimiser may turn it back into a nop. What it really needs is the addition of a #pragma dont_remove_this_code_you_bastard in the compiler. Until then, a lot of security code will be affected by this problem.
The off-list discussion about band-aids was fun. Regarding the pragma, it does exist for VC++. #pragma optimize( "", off ) Turns off all optimization. #pragma optimize( "", on ) Restores the optimization settings to the original values. I haven't looked at gcc yet, but even if it had such a #pragma, there is always the issue of developer education. But this is what your post was about I believe... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Syzop (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Dan Kaminsky (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Pavel Kankovsky (Oct 31)
- RE: Software leaves encryption keys, passwords lying around in memory Dom De Vitto (Oct 30)
- Re: Software leaves encryption keys, passwords lying around in memory Frank Knobbe (Oct 31)
- <Possible follow-ups>
- Re: Software leaves encryption keys, passwords lying around in memory Peter Gutmann (Oct 31)