Re: Software leaves encryption keys, passwords lying around in memory

From: Peter Gutmann (pgut001at_private)
Date: Wed Oct 30 2002 - 21:08:14 PST

Next message: overclocking_a_la_abuelaat_private: "REDHAT 8.0 local root"

Previous message: Cynic: "Re: Retransmissions while blocking TCP Stack's RST?"
Maybe in reply to: Peter Gutmann: "Software leaves encryption keys, passwords lying around in memory"
Next in thread: Frank Knobbe: "Re: Software leaves encryption keys, passwords lying around in memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Kaminsky <danat_private> writes:

>Yes, but here you *hope* the compiler has the same semantics for "volatile"
>that you do.  The "keys to the kingdom"(sufficient context to zap your
>memset) are left in place; you just hope the compiler bothers to ignore it.
>I'd rather *know*, at least at the same level of confidence I have that I
>know anything else about the compiler.

This is what makes it such a tough problem, and why it may need compiler-level
assistance.  While I was looking for the version of gcc which removes the
memset() (it appears to be a 3.x-only thing, but I can't get to the machine
with 3.x on it at the moment) I noticed that every version of gcc I tried
produced different output for the test source code.  You really can't rely on
a kludge which just happens to work for one version of the compiler (and you
have to be careful when reporting a "problem" which only affects one version
of the compiler :-).

Peter.

Next message: overclocking_a_la_abuelaat_private: "REDHAT 8.0 local root"
Previous message: Cynic: "Re: Retransmissions while blocking TCP Stack's RST?"
Maybe in reply to: Peter Gutmann: "Software leaves encryption keys, passwords lying around in memory"
Next in thread: Frank Knobbe: "Re: Software leaves encryption keys, passwords lying around in memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 09:03:25 PST