More on in-memory zeroisation

Thierry Moreau thierry.moreau at connotech.com
Fri Dec 14 12:42:19 EST 2007 

Jack:

Thank you for pointing this. I must admit you point to an inescapable 
counter-example for my analysis.

Maybe global optimization was not a significant factor in the 1980's 
when the C standard language was established -- it does refer to 
external linkage and "genuine function".

In the case of volatile declaration, the GCC 4.2.2 compiler gave me a 
warning that the volatile qualifier was ignored because the memset 
formal parameter declaration does not match. At least, as a compiler 
user I get a proper warning message.

Regards

  - Thierry Moreau


Original message:

Jack Lloyd wrote:

> On Wed, Dec 12, 2007 at 05:27:38PM -0500, Thierry Moreau wrote:
> 
>>As a consequence of alleged consensus above, my understanding of the C 
>>standard would prevail and (memset)(?,0,?) would refer to an external 
>>linkage function, which would guarantee (to the sterngth of the above 
>>consensus) resetting an arbitrary memory area for secret intermediate 
>>result protection.
> 
> 
> GCC on x86-64 (-O2) compiles this function to the same machine code
> regardless of the value of ZEROIZE:
> 
> #include <string.h>
> 
> int sensitive(int key)
>    {
>    char buf[16];
>    int result = 0;
>    size_t j;
> 
>    for(j = 0; j != sizeof(buf); j++)
>       buf[j] = key + j;
> 
>    for(j = 0; j != sizeof(buf); j++)
>       result += buf[j];
> 
> #if ZEROIZE
>    (memset)(buf, 0, sizeof(buf));
> #endif
> 
>    return result;
>    }
> 
> Even if (memset) must refer to a function with external linkage (an
> analysis I find dubious), there is nothing stopping the compiler from
> doing IPA/whole program optimization - especially with a very basic
> function like memset (in the code above, if buf is declared volatile,
> GCC does do the memset: but it does it by moving immediate zero values
> directly to the memory locations, not by actually jumping to any
> external function).
> 
> Regards,
>   Jack

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list