[riot-notifications] [RIOT-OS/RIOT] Possible memset optimized out in crypto code (#10751)

Kees Bakker notifications at github.com
Thu Jan 10 21:14:06 CET 2019

After watching the presentation of Ilja van Sprundel at CCC [1] I noticed that there is at least one location where a `memset` is used at the end of a function to clear sensitive data. However, as explained in Ilja's talk, there is a high chance that the memset is optimized out.

SHA1Transform(u32 state[5], const unsigned char buffer[64])
    u32 a, b, c, d, e;
    typedef union {
        unsigned char c[64];
        u32 l[16];
    } CHAR64LONG16;
    CHAR64LONG16* block;
    /* Wipe variables */
    a = b = c = d = e = 0;
    os_memset(block, 0, 64);

This final memset is clearing `block`. Most compilers however know about `memset`, and they know it is clearing local data which is never used again. Thus the compiler can and will remove that code. It's not a bug of the compiler, it's simply allowed. The programmer on the other wants that memory to be cleared to not leave it on the stack after the function finishes.

In the same module, there is another occurrence of a memset at the end of a function.

[1] [2018 Chaos Communication Congress talk Memsad](https://media.ccc.de/v/35c3-9788-memsad)

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190110/6f3c09a8/attachment.html>

More information about the notifications mailing list