mailing list archives
RE: When scrubbing secrets in memory doesn't work
From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Thu, 14 Nov 2002 02:44:58 -0800
From: Jan Echternach [mailto:jan () goneko de]
Sent: Monday, November 11, 2002 11:47 AM
On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote:
Not to declare the intermediate storage for sensitive
data as 'volatile' is a coding flaw. An esily overlooked
one, yes, but nevertheless... Like forgetting to protect
critical code with semaphores.
'volatile' isn't sufficient to be safe. In fact, there's no way to
be sure that some C code doesn't leave copies of sensitive data
around, because there's nothing in the C standard that forbids the
compiler to keep copies of data.
True, and an important point, but a separate problem from the original one
(memset being eliminated by dead store optimization). The problem you
describe here (and its variants, such as sensitive data remaining in
persistent storage, eg a swap partition) is entirely outside the scope of
the C standard. So, for that matter, is the obvious race between using and
"scrubbing" the sensitive data.
Scrubbing is clearly no more than a best-effort attempt to make it more
difficult to retrieve sensitive data from memory. I think it's of dubious
value, frankly, and this thread has probably prompted more discussion than
it warrants. There is a portable way to prevent the dead-store-elimination
problem, but that's only one of scrubbing's many failings.
Principal Software Systems Developer, Micro Focus