From RISKS: secret scrubbing code removed by optimizers
Bob Proulx
bob at proulx.com
Fri Nov 8 12:50:35 EST 2002
Gary E. Miller <gem at rellim.com> [2002-11-07 15:51:44 -0800]:
> On Fri, 8 Nov 2002, Gert Doering wrote:
>
> > in that case, "password" is a local variable to the function, and the
> > compiler can rightfully assume that it will never be accessed after
> > function return (because it's on the stack and its scope doesn't exist
> > anymore).
>
> In a non-paranoid world you are correct. In a paranoid world further
> analysis is required.
>
> If the memset() is eliminated as "dead code", then the password stays on
> the stack. Then anyone looking at /dev/kmem can see it in the clear.
> Worse yet, the stack could be swapped out to disk and now the password
> in on the disk in the clear.
Right and Gert I believe agrees with you if I read that right. But he
was saying that was not the case and therefore that was why gcc would
not be optimizing it away. I think you both are in agreement.
Bob
More information about the openssh-unix-dev
mailing list