1 |
On 15/11/17 11:05, Jorge Almeida wrote: |
2 |
> On Wed, Nov 15, 2017 at 12:54 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
3 |
>> On 14/11/17 19:36, Jorge Almeida wrote: |
4 |
>>> |
5 |
>>> On Fri, Nov 10, 2017 at 12:09 PM, Jorge Almeida <jjalmeida@×××××.com> |
6 |
>>> wrote: |
7 |
>>> |
8 |
> |
9 |
>> |
10 |
>> Unless you look at the assembly output, you can't be sure. Some optimization |
11 |
>> is done even at -O0. |
12 |
>> |
13 |
>> I'd stick to using explicit_bzero() which is safe regardless of compiler |
14 |
>> vendor *and* version. |
15 |
>> |
16 |
> But what about overwriting with random bytes? Having "explicit-*" |
17 |
> versions of whatnot seems madness. BTW, I checked the assemby, |
18 |
> memset() is there. But there should be way to tell the compiler "do |
19 |
> what I say". |
20 |
|
21 |
Writing random bytes isn't going to help. If the compiler can deduce |
22 |
that the random bytes aren't being used and that not writing anything |
23 |
will not change the observable behavior of the code, the write might not |
24 |
happen. And even if you do use the random bytes (like writing them to |
25 |
/dev/null,) the write might still not happen. The compiler might have |
26 |
marked another memory location as "hot" (in cache terms) and safe to |
27 |
write to, and use that instead. |
28 |
|
29 |
The only sure way to do this I can think of, is to require the caller to |
30 |
use volatile and implement your own memset(). This is obviously prone to |
31 |
error. To fix that, you could enforce your own volatile pointer with |
32 |
something like: |
33 |
|
34 |
typedef struct passwd_t { |
35 |
volatile char* data; |
36 |
} passwd_t; |
37 |
|
38 |
passwd_t* alloc_passwd(int len); |
39 |
void free_passwd(passwd_t* passwd); |
40 |
|
41 |
However, since explicit_bzero() is something several other people have |
42 |
come up as the solution to the problem, it's what I recommend. It's been |
43 |
tested already by other people on multiple platforms and compilers. Have |
44 |
a configure check for it, and if not found, try again with -lbsd. Or |
45 |
have a configure switch for it. These tests are easy to do with CMake or |
46 |
Autoconf. |
47 |
|
48 |
Trying to reinvent the wheel, especially when it comes to security, |
49 |
doesn't sound like a good idea. It's easy to get it wrong. |