On Monday, October 31, 2016 at 10:15:23 PM UTC-4, Jeffrey Walton wrote: > > FYI... > > We will have a bug report and clearing commit shortly. >
Tracked the issue at "CAST and zeroizer removal by the optimizer", https://github.com/weidai11/cryptopp/issues/331. Cleared at Commit 856c7c56ad2ebc9a, http://github.com/weidai11/cryptopp/commit/856c7c56ad2ebc9a534ec4136f6eca38a83950e2. Jeff > ---------- Forwarded message ---------- > From: Zhaomo Yang <[email protected]> > Date: Mon, Oct 31, 2016 at 8:40 PM > Subject: Security issue found in Crypto++ > To: [email protected], Kirill Levchenko <[email protected]>, Sorin > Lerner <[email protected]>, Brian Johannesmeyer > <[email protected]> > > TL; DR > We found issues in your program that may have security implications. > > Hi folks, > > I am a Ph.D. student in Computer Science and Engineering from the > University of California, San Diego. My colleagues and I are studying > cases where optimizing compilers remove code that scrubs sensitive > data. Specifically, developers clear sensitive objects after the last > use. However, because the value set by the clearing operation is not > used, the compiler (optimizer) may consider it dead code and thus > remove it. This is a known issue and people have developed various > ways to deal with it. See, for example the CERT C Secure Coding > Standard recommendation MSC06-C > ( > https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations). > > > > We have modified the Clang compiler that reports cases where a store > operation may be removed by the optimizer, allowing us to identify > cases where sensitive data scrubbing operations are optimized out. We > compiled Crypto++ 5.6.4 (the release version on Sept 11, 2016) using > our instrumented Clang compiler using your project's default flags. We > found that there may be some removed sensitive data clearing > operations in your program. The report is attached. Here is how to > read our report. > > ======= possible scrubbing removal ======= > Location: cryptopp564/cast.cpp:293:2 > Removed IR Instruction: call void @llvm.memset.p0i8.i64(i8* %1, i8 > 0, i64 32, i32 16, i1 false), !dbg !1382 > Comment: potentially security critical because the user key on the > stack is not scrubbed > > Location: where the removed memory clearing operation is in the source > code. In this example, it is in line 293, column 2 of > cryptopp564/cast.cpp. > Removed IR instruction: the removed LLVM IR instruction. > Additional Info: provides additional information in case of inlining. > In this example there is none. However, typically the enclosing > function of the removed operation is inlined at the location given in > brackets. > Comment: our comment on the removal case. > > Here is the code snippet around line 293 in cryptopp564/cast.cpp: > > 287: std::swap(K[i1],K[i2]); > 288: std::swap(K[i1+4],K[i2+4]); > 289: } > 290: } > 291: } > 292: > 293: memset(kappa, 0, sizeof(kappa)); // *** THIS STATEMENT IS > REMOVED BY THE COMPILER > 294: } > > The removed IR instruction comes from line 293, where the memset tries > to scrub the user key on the stack. > > - How to fix the program > One way to fix the issue is to use Crypto++'s SecureWipeArray > (defined in cryptopp564/misc.h) to clear memory. In case that you want > to look at other implementations, we're attaching an implementation of > a secure scrubbing function, secure_memzero(), that ensures that > memory is cleared even if it is not accessed again. We are releasing > this code into the public domain. You may use it in your code without > altering the terms of your license. > > Thanks, > Zhaomo Yang and Brian Johannesmeyer > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
