This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Compiler support for erasure of sensitive data

From: Zack Weinberg <zackw at panix dot com>
To: Paul_Koning at Dell dot com
Cc: gcc at gcc dot gnu dot org, llvmdev at cs dot uiuc dot edu, libc-alpha at sourceware dot org, musl at lists dot openwall dot com
Date: Wed, 9 Sep 2015 12:58:36 -0400
Subject: Re: Compiler support for erasure of sensitive data
Authentication-results: sourceware.org; auth=none
References: <55F05FF1 dot 3000405 at panix dot com> <8228C31E-7E1F-478C-9352-3908E6256B2C at dell dot com>

On 09/09/2015 12:52 PM, Paul_Koning@Dell.com wrote:
> Then again, suppose all you had is explicit_bzero, and an annotation
> on the data saying it's sensitive.  Can static code analyzers take
> care of the rest?  If so, this sort of thing doesn't need to be in
> the compiler.

The thing that absolutely has to be implemented in the compiler (AFAICT)
is register clearing.  I'm undecided as to how *necessary* that is.
There certainly can be a lot of sensitive data in registers (e.g. AESNI
puts an entire AES key schedule in xmm registers).  I don't know of any
exploits that depended on salvaging such data from registers, but I
don't follow exploit research closely.

zw

Follow-Ups:
- Re: [musl] Re: Compiler support for erasure of sensitive data
  - From: Rich Felker

References:
- Compiler support for erasure of sensitive data
  - From: Zack Weinberg
- Re: Compiler support for erasure of sensitive data
  - From: Paul_Koning

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]