More on in-memory zeroisation
pgut001 at cs.auckland.ac.nz
Sun Dec 9 01:16:22 EST 2007
There was a discussion on this list a year or two back about problems in using
memset() to zeroise in-memory data, specifically the fact that optimising
compilers would remove a memset() on (apparently) dead data in the belief that
it wasn't serving any purpose.
Reading through "Secure Programming with Static Analysis", I noticed an
observation in the text that newer versions of gcc such as 3.4.4 and 4.1.2
treat the pattern:
"memset(?, 0, ?)"
differently from any other memset in that it's not optimised out. I couldn't
find any reference to this behaviour anywhere and asked the authors about
this. They replied:
We did experiments with a number of different compilers and optimization
levels in order to determine the conditions under which calls to memset
would be optimized out. We stumbled on the fact that zero is treated
differently pretty much by accident, and we don't have any particular
insight into why it behaves the way it does.
I've done a bit of poking around in gcc discussion threads and there's a lot
of muttering about support for bcopy() and bzero(), and in particular its use
in places where it can't be replaced by memcpy()/memset() (e.g. assorted OS
kernels). Speculating wildly, my guess is that the peculiar behaviour with
(?, 0, ?) parameters is a compatibility hack for bzero() support, so it may be
purely an implementation artefact. For example if you look at
http://kerneltrap.org/man/linux/man3p/bzero.3p it recommends:
#define bzero(b,len) (memset((b), '\0', (len)), (void) 0)
so it's possible the gcc folks added the special memset() semantics because of
So it seems that at least with recent versions of gcc you *can* zeroise memory
provided you use the "memset(?, 0, ?)" pattern. Unfortunately since it's
undocumented behaviour it's not certain whether this will be persistent in
future compiler versions. Doing it this way does seem a nice compromise
between "I want maximum optimisation" and "I want maximum security".
Can anyone who knows more about gcc development provide more insight on this?
Could it be made an official, supported feature of the compiler?
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography