Secure memory wiping

[tiran]

The patch in http://bugs.python.org/issue17405 might be interesting for cryptography. It contains my research on secure memory wiping and a C89 implementation of C11's memset_s() function.

Quote:
Compilers like GCC optimize away code like memset(var, 0, sizeof(var)) if the code occurs at the end of a function and var is not used anymore [1]. But security relevant code like hash and encryption use this to overwrite sensitive data with zeros.

The code in _sha3module.c uses memset() to clear its internal state. The other hash modules don't clear their internal states yet.

There exists a couple of solutions for the problem:

• C11 [ISO/IEC 9899:2011] has a memset_s() function
• MSVC has SecureZeroMemory()
• GCC can disable the optimization with #pragma GCC optimize ("O0") since GCC 4.4
• [2] contains an example for a custom implementation of memset_s() with volatile.

[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8537
[2] https://www.securecoding.cert.org/confluence/display/seccode/MSC06-C.+Be+aware+of+compiler+optimization+when+dealing+with+sensitive+data

[dstufft]

I'm not sure this is going to be relevant for this. Ideally we won't be writing any crypto ourselves and will just be making an API over top of a backing library like OpenSSL.

[tiran]

Most crypto libs don't handle memory management themselves. The application is responsible for allocating and freeing blocks of memory. Usually a consumer of a crypto lib allocates a fixed size buffer on the stack and applies the buffer to a crypto function. The buffer should be whipped with memset_s() afterwards. The page [2] explains it in great detail.

[alex]

Yup, we can add a with secure_wipe(bytes) as c_buffer (better name needed) thing

[public]

We can implement this for bytes yet our asymmetric API relies a lot on large secret ints :-/

[public]

I think #845 should close this for now?