From RISKS: secret scrubbing code removed by optimizers

Bob Proulx bob at
Fri Nov 8 12:50:35 EST 2002

Gary E. Miller <gem at> [2002-11-07 15:51:44 -0800]:
> On Fri, 8 Nov 2002, Gert Doering wrote:
> > in that case, "password" is a local variable to the function, and the
> > compiler can rightfully assume that it will never be accessed after
> > function return (because it's on the stack and its scope doesn't exist
> > anymore).
> In a non-paranoid world you are correct.  In a paranoid world further
> analysis is required.
> If the memset() is eliminated as "dead code", then the password stays on
> the stack.  Then anyone looking at /dev/kmem can see it in the clear.
> Worse yet, the stack could be swapped out to disk and now the password
> in on the disk in the clear.

Right and Gert I believe agrees with you if I read that right.  But he
was saying that was not the case and therefore that was why gcc would
not be optimizing it away.  I think you both are in agreement.


More information about the openssh-unix-dev mailing list