This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Compiler support for erasure of sensitive data
- From: Zack Weinberg <zackw at panix dot com>
- To: Paul_Koning at Dell dot com
- Cc: gcc at gcc dot gnu dot org, llvmdev at cs dot uiuc dot edu, libc-alpha at sourceware dot org, musl at lists dot openwall dot com
- Date: Wed, 9 Sep 2015 12:58:36 -0400
- Subject: Re: Compiler support for erasure of sensitive data
- Authentication-results: sourceware.org; auth=none
- References: <55F05FF1 dot 3000405 at panix dot com> <8228C31E-7E1F-478C-9352-3908E6256B2C at dell dot com>
On 09/09/2015 12:52 PM, Paul_Koning@Dell.com wrote:
> Then again, suppose all you had is explicit_bzero, and an annotation
> on the data saying it's sensitive. Can static code analyzers take
> care of the rest? If so, this sort of thing doesn't need to be in
> the compiler.
The thing that absolutely has to be implemented in the compiler (AFAICT)
is register clearing. I'm undecided as to how *necessary* that is.
There certainly can be a lot of sensitive data in registers (e.g. AESNI
puts an entire AES key schedule in xmm registers). I don't know of any
exploits that depended on salvaging such data from registers, but I
don't follow exploit research closely.
zw