Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <55F07EF6.8080004@panix.com>
Date: Wed, 9 Sep 2015 14:48:22 -0400
From: Zack Weinberg <zackw@...ix.com>
To: Rich Felker <dalias@...c.org>
Cc: gcc@....gnu.org, GNU C Library <libc-alpha@...rceware.org>,
 musl@...ts.openwall.com
Subject: Re: Compiler support for erasure of sensitive data

On 09/09/2015 01:13 PM, Rich Felker wrote:
> On Wed, Sep 09, 2015 at 12:47:10PM -0400, Zack Weinberg wrote:
>> On Wed, Sep 9, 2015 at 12:42 PM, Rich Felker <dalias@...c.org> wrote:
>>> You're making this harder than it needs to be. The "m" constraint is
>>> the wrong thing to use here. Simply use:
>>>
>>>         __asm__(""::"r"(ptr):"memory");
>>
>> Please review my earlier conversation with Adhemerval on exactly this point.
> 
> My understanding is that you consider this a "big hammer". Does that
> really matter if the intent is that it only be used in isolated,
> sensitive contexts? Are you just unhappy with the performance cost, or
> concerned that the clobber will cause more spilling of sensitive data?

Please review *all* of my earlier conversation with Adhemerval, in
particular the bit where I compiled libressl three different ways and
analyzed the assembly dumps.  I'm sure there's more to be said on the
topic, but *starting* from there.

> the hack with the "m" constraint is wrong and easily fixed

It's not wrong; it is in fact the documented way to express a fixed-size
read access to one block of memory.  Look for "ten bytes of a string"
within https://gcc.gnu.org/onlinedocs/gcc-4.8.1/gcc/Extended-Asm.html
(sorry, there don't appear to be anchors).

It merely doesn't work in C++, with Clang, or (maybe) with a block of
memory whose size cannot be determined at compile time.

zw

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.