This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Compiler support for erasure of sensitive data
- From: David Edelsohn <dje dot gcc at gmail dot com>
- To: Zack Weinberg <zackw at panix dot com>
- Cc: GCC Development <gcc at gcc dot gnu dot org>, GNU C Library <libc-alpha at sourceware dot org>, musl at lists dot openwall dot com
- Date: Wed, 9 Sep 2015 13:54:38 -0400
- Subject: Re: Compiler support for erasure of sensitive data
- Authentication-results: sourceware.org; auth=none
- References: <55F05FF1 dot 3000405 at panix dot com>
On Wed, Sep 9, 2015 at 12:36 PM, Zack Weinberg <zackw@panix.com> wrote:
> The ABI dictates basically everything you see. The call to
> explicit_bzero has forced the compiler to *create* a second copy of
> the variable `k` on the stack, just so it can be erased -- and the
> copy in registers survives (at least for a short time), which is not
> what the programmer wanted. With or without explicit_bzero, we have
> no way of getting rid of the copy in registers. More complicated
> scenarios of course exist.
> Comments? Please note that I do not have anything like the time
> required to implement any of this myself (and I'm ten years out of
> practice on GCC and have no experience whatsoever with Clang,
> anyway). I'm hoping this catches someone's interest.
What level of erasure of sensitive data are you trying to ensure?
Assuming that overwriting values in the ISA registers actually
completely clears and destroys the values is delusionally naive.
Most modern hardware architectures have hardware capabilities to
encrypt and protect sensitive data.
- David