1 |
On Fri, Nov 10, 2017 at 11:19 PM, R0b0t1 <r030t1@×××××.com> wrote: |
2 |
> On Fri, Nov 10, 2017 at 2:09 PM, Jorge Almeida <jjalmeida@×××××.com> wrote: |
3 |
>> On Fri, Nov 10, 2017 at 4:25 PM, R0b0t1 <r030t1@×××××.com> wrote: |
4 |
> |
5 |
>> |
6 |
>> http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html |
7 |
>> |
8 |
> |
9 |
> I really think there is a deeper issue here then, which is that the |
10 |
> compiler takes a lot of liberties when translating a program |
11 |
> description into machine code. There have been suggestions made that |
12 |
> this makes very nearly all compilers unsuitable for high reliability |
13 |
> purposes. Cryptographic or user security code is likely a candidate |
14 |
> for the label "high reliability." |
15 |
|
16 |
Yes, the html page above has a link to a 2nd part, where (if I |
17 |
understood correctly) it is concluded that currently there is no real |
18 |
solution: even if the compiler does what it is told to, it may copy |
19 |
data around, and the programmer has no control whatsoever over the |
20 |
fate of such data. |
21 |
|
22 |
> |
23 |
> To further explain why the additions are counterproductive: the |
24 |
> programmer still has to remember to use them. It is just as likely |
25 |
> that the programmer will forget to use memset_s properly as any of the |
26 |
> other functions in string.h (possibly by forgetting to sanitize input |
27 |
> i.e. the memory segment boundaries). |
28 |
> |
29 |
Well, most programmers probably won't care about this stuff anyway, |
30 |
and people who deal with cryptography tend to be more cautious than |
31 |
average. But I'm not really making a case for safe versions of known |
32 |
functions. After all, the usual functions do fine for most |
33 |
applications. memset() would be enough to clear RAM with sensitive |
34 |
data if we had a pragma (or equivalent) to convince the compiler to |
35 |
not ignore it (I mean a pragma to invoke on a particular function |
36 |
definition when the programmer feels that a black box behaviour is |
37 |
undesirable). Of course, solving the problem of the compiler copying |
38 |
stuff around might be harder nut to crack. |
39 |
> |
40 |
|
41 |
> |
42 |
> If you don't mind I might post this concern to the GCC mailing list, |
43 |
> or you can take it up if you want. |
44 |
|
45 |
Please do. I'm strictly amateur league, and you'll do a better job. |
46 |
> |
47 |
Cheers |
48 |
|
49 |
Jorge |