> From: Jan Echternach [mailto:jan@goneko.de] > Sent: Monday, November 11, 2002 11:47 AM > On Fri, Nov 08, 2002 at 05:23:34PM +0100, Michael Zimmermann wrote: > > Not to declare the intermediate storage for sensitive > > data as 'volatile' is a coding flaw. An esily overlooked > > one, yes, but nevertheless... Like forgetting to protect > > critical code with semaphores. > > 'volatile' isn't sufficient to be safe. In fact, there's no way to > be sure that some C code doesn't leave copies of sensitive data > around, because there's nothing in the C standard that forbids the > compiler to keep copies of data. True, and an important point, but a separate problem from the original one (memset being eliminated by dead store optimization). The problem you describe here (and its variants, such as sensitive data remaining in persistent storage, eg a swap partition) is entirely outside the scope of the C standard. So, for that matter, is the obvious race between using and "scrubbing" the sensitive data. Scrubbing is clearly no more than a best-effort attempt to make it more difficult to retrieve sensitive data from memory. I think it's of dubious value, frankly, and this thread has probably prompted more discussion than it warrants. There is a portable way to prevent the dead-store-elimination problem, but that's only one of scrubbing's many failings. Michael Wojcik Principal Software Systems Developer, Micro Focus
