FYI... We will have a bug report and clearing commit shortly.
---------- Forwarded message ---------- From: Zhaomo Yang <[email protected]> Date: Mon, Oct 31, 2016 at 8:40 PM Subject: Security issue found in Crypto++ To: [email protected], Kirill Levchenko <[email protected]>, Sorin Lerner <[email protected]>, Brian Johannesmeyer <[email protected]> TL; DR We found issues in your program that may have security implications. Hi folks, I am a Ph.D. student in Computer Science and Engineering from the University of California, San Diego. My colleagues and I are studying cases where optimizing compilers remove code that scrubs sensitive data. Specifically, developers clear sensitive objects after the last use. However, because the value set by the clearing operation is not used, the compiler (optimizer) may consider it dead code and thus remove it. This is a known issue and people have developed various ways to deal with it. See, for example the CERT C Secure Coding Standard recommendation MSC06-C (https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations). We have modified the Clang compiler that reports cases where a store operation may be removed by the optimizer, allowing us to identify cases where sensitive data scrubbing operations are optimized out. We compiled Crypto++ 5.6.4 (the release version on Sept 11, 2016) using our instrumented Clang compiler using your project's default flags. We found that there may be some removed sensitive data clearing operations in your program. The report is attached. Here is how to read our report. ======= possible scrubbing removal ======= Location: cryptopp564/cast.cpp:293:2 Removed IR Instruction: call void @llvm.memset.p0i8.i64(i8* %1, i8 0, i64 32, i32 16, i1 false), !dbg !1382 Comment: potentially security critical because the user key on the stack is not scrubbed Location: where the removed memory clearing operation is in the source code. In this example, it is in line 293, column 2 of cryptopp564/cast.cpp. Removed IR instruction: the removed LLVM IR instruction. Additional Info: provides additional information in case of inlining. In this example there is none. However, typically the enclosing function of the removed operation is inlined at the location given in brackets. Comment: our comment on the removal case. Here is the code snippet around line 293 in cryptopp564/cast.cpp: 287: std::swap(K[i1],K[i2]); 288: std::swap(K[i1+4],K[i2+4]); 289: } 290: } 291: } 292: 293: memset(kappa, 0, sizeof(kappa)); // *** THIS STATEMENT IS REMOVED BY THE COMPILER 294: } The removed IR instruction comes from line 293, where the memset tries to scrub the user key on the stack. - How to fix the program One way to fix the issue is to use Crypto++'s SecureWipeArray (defined in cryptopp564/misc.h) to clear memory. In case that you want to look at other implementations, we're attaching an implementation of a secure scrubbing function, secure_memzero(), that ensures that memory is cleared even if it is not accessed again. We are releasing this code into the public domain. You may use it in your code without altering the terms of your license. Thanks, Zhaomo Yang and Brian Johannesmeyer -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
