| 1 |
On Fri, Nov 10, 2017 at 11:19 PM, R0b0t1 <r030t1@×××××.com> wrote: |
| 2 |
> On Fri, Nov 10, 2017 at 2:09 PM, Jorge Almeida <jjalmeida@×××××.com> wrote: |
| 3 |
>> On Fri, Nov 10, 2017 at 4:25 PM, R0b0t1 <r030t1@×××××.com> wrote: |
| 4 |
> |
| 5 |
>> |
| 6 |
>> http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html |
| 7 |
>> |
| 8 |
> |
| 9 |
> I really think there is a deeper issue here then, which is that the |
| 10 |
> compiler takes a lot of liberties when translating a program |
| 11 |
> description into machine code. There have been suggestions made that |
| 12 |
> this makes very nearly all compilers unsuitable for high reliability |
| 13 |
> purposes. Cryptographic or user security code is likely a candidate |
| 14 |
> for the label "high reliability." |
| 15 |
|
| 16 |
Yes, the html page above has a link to a 2nd part, where (if I |
| 17 |
understood correctly) it is concluded that currently there is no real |
| 18 |
solution: even if the compiler does what it is told to, it may copy |
| 19 |
data around, and the programmer has no control whatsoever over the |
| 20 |
fate of such data. |
| 21 |
|
| 22 |
> |
| 23 |
> To further explain why the additions are counterproductive: the |
| 24 |
> programmer still has to remember to use them. It is just as likely |
| 25 |
> that the programmer will forget to use memset_s properly as any of the |
| 26 |
> other functions in string.h (possibly by forgetting to sanitize input |
| 27 |
> i.e. the memory segment boundaries). |
| 28 |
> |
| 29 |
Well, most programmers probably won't care about this stuff anyway, |
| 30 |
and people who deal with cryptography tend to be more cautious than |
| 31 |
average. But I'm not really making a case for safe versions of known |
| 32 |
functions. After all, the usual functions do fine for most |
| 33 |
applications. memset() would be enough to clear RAM with sensitive |
| 34 |
data if we had a pragma (or equivalent) to convince the compiler to |
| 35 |
not ignore it (I mean a pragma to invoke on a particular function |
| 36 |
definition when the programmer feels that a black box behaviour is |
| 37 |
undesirable). Of course, solving the problem of the compiler copying |
| 38 |
stuff around might be harder nut to crack. |
| 39 |
> |
| 40 |
|
| 41 |
> |
| 42 |
> If you don't mind I might post this concern to the GCC mailing list, |
| 43 |
> or you can take it up if you want. |
| 44 |
|
| 45 |
Please do. I'm strictly amateur league, and you'll do a better job. |
| 46 |
> |
| 47 |
Cheers |
| 48 |
|
| 49 |
Jorge |
Archives