From RISKS: secret scrubbing code removed by optimizers

Gert Doering gert at
Fri Nov 8 10:08:24 EST 2002


On Fri, Nov 08, 2002 at 09:34:59AM +1100, Darren Tucker wrote:
> This showed up in RISKS and no one has mentioned it here yet, so..
> OpenSSH contains lots of code like:
> char *password = read_passphrase(prompt, 0);
> [do stuff]
> memset(password, 0, strlen(password));
> >From
> "clearing sensitive information such as encryption keys from memory may
> not work as expected because an optimising compiler removes the memset()
> if it decides it's redundant."
> "When compiled with any level of optimisation using gcc, the key
> clearing call goes away because of dead code elimination."

I don't think this applies here.  The compiler can't know that the memory
area isn't used by other functions.

What you are referring to is:

int foo()
 char password[100] = "secret!";
 memset(password, 0, sizeof(password);

in that case, "password" is a local variable to the function, and the
compiler can rightfully assume that it will never be accessed after 
function return (because it's on the stack and its scope doesn't exist


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at
fax: +49-89-35655025                        gert.doering at

More information about the openssh-unix-dev mailing list