From RISKS: secret scrubbing code removed by optimizers

Gary E. Miller gem at rellim.com
Fri Nov 8 10:51:44 EST 2002


Yo Gert!

On Fri, 8 Nov 2002, Gert Doering wrote:

> in that case, "password" is a local variable to the function, and the
> compiler can rightfully assume that it will never be accessed after
> function return (because it's on the stack and its scope doesn't exist
> anymore).

In a non-paranoid world you are correct.  In a paranoid world further
analysis is required.

If the memset() is eliminated as "dead code", then the password stays on
the stack.  Then anyone looking at /dev/kmem can see it in the clear.
Worse yet, the stack could be swapped out to disk and now the password
in on the disk in the clear.

We can hope that another subroutine is soon called, and that part
of the stack is overwritten, but there is a much longer window of
exposure than if the memset() was executed.

Maybe password could be declared with the "volatile" attribute to
prevent this optimization.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





More information about the openssh-unix-dev mailing list