This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Compiler support for erasure of sensitive data
- From: <Paul_Koning at Dell dot com>
- To: <zackw at panix dot com>
- Cc: <gcc at gcc dot gnu dot org>, <llvmdev at cs dot uiuc dot edu>, <libc-alpha at sourceware dot org>, <musl at lists dot openwall dot com>
- Date: Wed, 9 Sep 2015 16:52:33 +0000
- Subject: Re: Compiler support for erasure of sensitive data
- Authentication-results: sourceware.org; auth=none
- References: <55F05FF1 dot 3000405 at panix dot com>
> On Sep 9, 2015, at 12:36 PM, Zack Weinberg <zackw@panix.com> wrote:
>
> ...
> I think the ideal feature addition to address this would be
>
> void safe(void)
> {
> struct key __attribute__((sensitive)) k = get_key();
> use_key(k);
> }
That certainly is a cleaner answer. What is attractive about it is that it expresses the need for variables (data) to be given different treatment, rather than expecting the programmer to code that special treatment in every place where that data becomes dead. It's also likely to be a whole lot harder to implement, unfortunately.
Then again, suppose all you had is explicit_bzero, and an annotation on the data saying it's sensitive. Can static code analyzers take care of the rest? If so, this sort of thing doesn't need to be in the compiler.
paul