[Cryptography] Heartbleed and fundamental crypto programming practices
Bear
bear at sonic.net
Fri Apr 25 22:14:24 EDT 2014
On Fri, 2014-04-25 at 16:24 +1000, Stuart Longland wrote:
> Okay, real novice question… since we're on the topic of how to convince
> an optimiser of our aims.
>
> What would be wrong with this?
> static inline void secureZeroMemory(void *v, uint32_t n) {
> memset(v, 0, n);
> }
>
> memset is in the C library, so not subject to the optimiser in the
> compiler compiling your code, and presumably was compiled with the tricks
> needed to make the compiler emit the write code, else memset wouldn't do
> its job properly.
Unfortunately, no. Or at least, not by default on many compilers.
Yes, it is a C library function, and each conforming C library
has to provide it in a linkable form - but the standard does
not require that to be the only form in which it's provided,
nor require that the library version be linked when the call is
made. In many compilers there is also a 'builtin' version -
that is, by default these compilers treat certain calls as
though they were C-language statements that the compiler knows
how to compile, rather than as calls to a library.
In order to force the compiler to use the 'library' version
where there is an actual procedure call that you can trace or
debug, you usually need to take at least a couple more steps.
For example, on GCC, you'd have to invoke the compiler with
the -fnobuiltins option to suppress builtins which replace
several calls (mostly string functions) in a way that the
compiler can inline and, it hopes, optimize or eliminate.
Even if you do that, you still have the possibility of an
optimizing compiler inlining any call, which will get you the
same issues as a 'builtin' - once the code is local, it's
nothing more than a variable write, and a variable write is
usually eliminated unless the value is later read from that
variable and used. In fact, if it's a write of a constant
value, constant propagation optimizations can make the variable
write be eliminated and the later read replaced by the load
of that constant value.
The only way to be sure is the 'volatile' directive; that is
intended to mark something at an absolute address that some
other process may be reading or writing, which means that
skipping a read or write would actually cause bugs in that
other process.
Bear
More information about the cryptography
mailing list