| 1 |
On 15/11/17 11:05, Jorge Almeida wrote: |
| 2 |
> On Wed, Nov 15, 2017 at 12:54 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
| 3 |
>> On 14/11/17 19:36, Jorge Almeida wrote: |
| 4 |
>>> |
| 5 |
>>> On Fri, Nov 10, 2017 at 12:09 PM, Jorge Almeida <jjalmeida@×××××.com> |
| 6 |
>>> wrote: |
| 7 |
>>> |
| 8 |
> |
| 9 |
>> |
| 10 |
>> Unless you look at the assembly output, you can't be sure. Some optimization |
| 11 |
>> is done even at -O0. |
| 12 |
>> |
| 13 |
>> I'd stick to using explicit_bzero() which is safe regardless of compiler |
| 14 |
>> vendor *and* version. |
| 15 |
>> |
| 16 |
> But what about overwriting with random bytes? Having "explicit-*" |
| 17 |
> versions of whatnot seems madness. BTW, I checked the assemby, |
| 18 |
> memset() is there. But there should be way to tell the compiler "do |
| 19 |
> what I say". |
| 20 |
|
| 21 |
Writing random bytes isn't going to help. If the compiler can deduce |
| 22 |
that the random bytes aren't being used and that not writing anything |
| 23 |
will not change the observable behavior of the code, the write might not |
| 24 |
happen. And even if you do use the random bytes (like writing them to |
| 25 |
/dev/null,) the write might still not happen. The compiler might have |
| 26 |
marked another memory location as "hot" (in cache terms) and safe to |
| 27 |
write to, and use that instead. |
| 28 |
|
| 29 |
The only sure way to do this I can think of, is to require the caller to |
| 30 |
use volatile and implement your own memset(). This is obviously prone to |
| 31 |
error. To fix that, you could enforce your own volatile pointer with |
| 32 |
something like: |
| 33 |
|
| 34 |
typedef struct passwd_t { |
| 35 |
volatile char* data; |
| 36 |
} passwd_t; |
| 37 |
|
| 38 |
passwd_t* alloc_passwd(int len); |
| 39 |
void free_passwd(passwd_t* passwd); |
| 40 |
|
| 41 |
However, since explicit_bzero() is something several other people have |
| 42 |
come up as the solution to the problem, it's what I recommend. It's been |
| 43 |
tested already by other people on multiple platforms and compilers. Have |
| 44 |
a configure check for it, and if not found, try again with -lbsd. Or |
| 45 |
have a configure switch for it. These tests are easy to do with CMake or |
| 46 |
Autoconf. |
| 47 |
|
| 48 |
Trying to reinvent the wheel, especially when it comes to security, |
| 49 |
doesn't sound like a good idea. It's easy to get it wrong. |
Archives