> From: Jan Echternach [mailto:jan (at) goneko (dot) de [email concealed]]
> Sent: Monday, November 11, 2002 11:47 AM
> On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote:
> > Not to declare the intermediate storage for sensitive
> > data as 'volatile' is a coding flaw. An esily overlooked
> > one, yes, but nevertheless... Like forgetting to protect
> > critical code with semaphores.
>
> 'volatile' isn't sufficient to be safe. In fact, there's no way to
> be sure that some C code doesn't leave copies of sensitive data
> around, because there's nothing in the C standard that forbids the
> compiler to keep copies of data.
True, and an important point, but a separate problem from the original one
(memset being eliminated by dead store optimization). The problem you
describe here (and its variants, such as sensitive data remaining in
persistent storage, eg a swap partition) is entirely outside the scope of
the C standard. So, for that matter, is the obvious race between using and
"scrubbing" the sensitive data.
Scrubbing is clearly no more than a best-effort attempt to make it more
difficult to retrieve sensitive data from memory. I think it's of dubious
value, frankly, and this thread has probably prompted more discussion than
it warrants. There is a portable way to prevent the dead-store-elimination
problem, but that's only one of scrubbing's many failings.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
> Sent: Monday, November 11, 2002 11:47 AM
> On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote:
> > Not to declare the intermediate storage for sensitive
> > data as 'volatile' is a coding flaw. An esily overlooked
> > one, yes, but nevertheless... Like forgetting to protect
> > critical code with semaphores.
>
> 'volatile' isn't sufficient to be safe. In fact, there's no way to
> be sure that some C code doesn't leave copies of sensitive data
> around, because there's nothing in the C standard that forbids the
> compiler to keep copies of data.
True, and an important point, but a separate problem from the original one
(memset being eliminated by dead store optimization). The problem you
describe here (and its variants, such as sensitive data remaining in
persistent storage, eg a swap partition) is entirely outside the scope of
the C standard. So, for that matter, is the obvious race between using and
"scrubbing" the sensitive data.
Scrubbing is clearly no more than a best-effort attempt to make it more
difficult to retrieve sensitive data from memory. I think it's of dubious
value, frankly, and this thread has probably prompted more discussion than
it warrants. There is a portable way to prevent the dead-store-elimination
problem, but that's only one of scrubbing's many failings.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
[ reply ]