Re: Software leaves encryption keys, passwords lying around in memory

• Previous message: Cynic: "Retransmissions while blocking TCP Stack's RST?"
• In reply to: Peter Gutmann: "Software leaves encryption keys, passwords lying around in memory"
• Next in thread: Dan Kaminsky: "Re: Software leaves encryption keys, passwords lying around in memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Peter Gutmann wrote:

> When compiled with any level of optimisation using gcc, the key clearing call
> goes away because of dead code elimination (see the MSDN article for more
> details on this, which uses VC++ to get the same effect).

I was unable to reproduce this with gcc 2.95.4.
I can clearly find the zeroing back in the assembler output.

Not optimized:
[..]
        pushl $16
        pushl $0
        leal -16(%ebp),%eax
        pushl %eax
        call memset

Optimized (-O3):
[..]
        movl $0,-16(%ebp)
        movl $0,-12(%ebp)
        movl $0,-8(%ebp)
        movl $0,-4(%ebp)

Cya,

    Bram Matthys.

== clearit.c (just copy/pasted from you + made encrypt "usefull") ==
#include <stdio.h>
#include <stdlib.h>

int encrypt(char *key)
{
int i;
        for (i=0; i < strlen(key); i++)
        {
                printf("bla %c\n", key[i]);
        }
        return 1;
}


int main()
{
char key[16];
strcpy( key, "secretkey" );
encrypt(key);
memset(key, 0, 16);
}

== commands ==
gcc -S -o clearit.asm clearit.c
gcc -S -o clearit.asm.optimized clearit.c -O3

• Next message: Dan Kaminsky: "Re: Software leaves encryption keys, passwords lying around in memory"
• Previous message: Cynic: "Retransmissions while blocking TCP Stack's RST?"
• In reply to: Peter Gutmann: "Software leaves encryption keys, passwords lying around in memory"
• Next in thread: Dan Kaminsky: "Re: Software leaves encryption keys, passwords lying around in memory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 09:44:46 PST