Skip to content

Use explicit_bzero() if available #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Use explicit_bzero() if available #148

wants to merge 4 commits into from

Conversation

@michaelortmann
Copy link

@michaelortmann michaelortmann commented Jul 16, 2020

Use explicit_bzero() if available

The 'volatile' solution may not work as expected

Quote from https://www.gnu.org/software/libc/manual/html_node/Erasing-Sensitive-Data.html:

Declaring sensitive variables as volatile will make both the above problems worse; a volatile variable will be stored in memory for its entire lifetime, and the compiler will make more copies of it than it would otherwise have. Attempting to erase a normal variable “by hand” through a volatile-qualified pointer doesn’t work at all—because the variable itself is not volatile, some compilers will ignore the qualification on the pointer and remove the erasure anyway.

emersion
emersion reviewed Jul 21, 2020
View reviewed changes
emersion
emersion reviewed Jul 21, 2020
View reviewed changes
emersion
emersion reviewed Jul 21, 2020
View reviewed changes
emersion
emersion reviewed Jul 21, 2020
View reviewed changes
@emersion
Copy link
Member

emersion commented Jul 21, 2020

The 'volatile' solution may not work as expected

This isn't much of an issue: volatile isn't used for the sensitive data, instead it's used for the zeroes.

@emersion
Copy link
Member

emersion commented Aug 10, 2020

Yeah, this requires _GNU_SOURCE as I thought.

I'm not sure it's worth it to maintain this extra complexity for unclear benefits.

@emersion
Copy link
Member

emersion commented Aug 14, 2021

Sorry, I'm going to close this, we prefer to avoid non-POSIX functions.

@emersion emersion closed this Aug 14, 2021
@nmeum
Copy link

nmeum commented Mar 30, 2024
edited
Loading

Sorry, I'm going to close this, we prefer to avoid non-POSIX functions.

You cannot reliably zero memory without avoiding non-POSIX functions. explicit_bzero is nowadays implemented by OpenBSD, musl libc, and glibc (i.e. it is widely available). If you rely on the volatile keyword, chances are that the zero'ing is optimized out by the compiler. For more background information refer to https://media.ccc.de/v/35c3-9788-memsad

@nmeum nmeum mentioned this pull request Mar 30, 2024
Open
@nmeum
Copy link

nmeum commented Mar 30, 2024

Since this issue has been closed for a couple of years now, I have opened #353 with a somewhat simpler implementation in the hopes of resuming the discussion there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emersion emersion emersion left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michaelortmann @emersion @nmeum