This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Compiler support for erasure of sensitive data

From: <Paul_Koning at Dell dot com>
To: <zackw at panix dot com>
Cc: <gcc at gcc dot gnu dot org>, <llvmdev at cs dot uiuc dot edu>, <libc-alpha at sourceware dot org>, <musl at lists dot openwall dot com>
Date: Wed, 9 Sep 2015 16:52:33 +0000
Subject: Re: Compiler support for erasure of sensitive data
Authentication-results: sourceware.org; auth=none
References: <55F05FF1 dot 3000405 at panix dot com>

> On Sep 9, 2015, at 12:36 PM, Zack Weinberg <zackw@panix.com> wrote:
> 
> ...
> I think the ideal feature addition to address this would be
> 
>    void safe(void)
>    {
>        struct key __attribute__((sensitive)) k = get_key();
>        use_key(k);
>    }

That certainly is a cleaner answer.  What is attractive about it is that it expresses the need for variables (data) to be given different treatment, rather than expecting the programmer to code that special treatment in every place where that data becomes dead.  It's also likely to be a whole lot harder to implement, unfortunately.

Then again, suppose all you had is explicit_bzero, and an annotation on the data saying it's sensitive.  Can static code analyzers take care of the rest?  If so, this sort of thing doesn't need to be in the compiler.

	paul

Follow-Ups:
- Re: Compiler support for erasure of sensitive data
  - From: Zack Weinberg

References:
- Compiler support for erasure of sensitive data
  - From: Zack Weinberg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]