[Cryptography] Secure erasure in C.

[Benjamin Kreuter]

On Wed, 2016-09-07 at 13:04 -0700, Ray Dillinger wrote:

> That is definitely the preferred solution. As far as I know,
> the desired behavior is absolutely required by all versions of
> the C standard and the availability of static volatile buffers
> is the main reason why I write security code in C despite all
> of C's sharp pointy bits, vicious free-swinging hooks and
> bloody blades.

I have to wonder about the tradeoffs here.  Let's ignore for the moment
the fact that regardless of what language you use it is possible for
the host system to be copying pages of memory without your knowledge or
control.  Let's assume for the sake of argument that you could
guarantee that an array is not copied, and that when you intend to
"clear" it (e.g. overwrite it with 0s) you can really ensure that it
will be cleared.

Is it worth all the downsides of C?

Consider:  a read past the end of a buffer might cause you to copy the
very same array you thought you had "ensured" would not be copied,
potentially even to something you thought was safe to write to some
output (sound familiar?).  Sure, you can try to minimize the risk by
only having your keys be live while you need them -- unless, of course,
you are reading past end of that array while encrypting.

The problem with C, C++, and related languages is that they do not have
reliable abstractions.  You think "static volatile" means something,
but it is only a hint to your compiler; whatever guarantees you thought
you were getting can be violated by other language features.  It makes
writing secure or reliable code very difficult.

I know someone will chime in with, "But you can have buggy code in any
language!" and that is absolutely true.  The difference is that C et
al. allow for a much broader class of bugs.  For the most part, any bug
you could write in a "safer" language could also be written in C, but
many devastating bugs in C are exceedingly difficult (to the point of
impossibility) to write in "safer" languages.

As for the original point about secure erasure, you need OS support for
that regardless of what language you are programming in.  Your OS has
plenty of opportunities to copy memory and the only way you can stop it
is if there is a system call for doing so.  I would argue that safely
exposing such functionality to C is actually harder than it would be in
other languages.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160911/506e7fa7/attachment.sig>