Bug: sensitive data written to insecure memory

[Florian Weimer]

Andrew Archibald <aarchiba at yahoo.com> writes:

> In a number of the cryptographic algorithms (for example, cast5.c and
> rijndael.c) sensitive data are written to temporary variables, which are
> stored on the stack.

I've independently discovered similar problems in the MPI
implementation and/or the asymmetric ciphers (it's not clear which one
is the culprit).

I think a rough audit of all related code is required, and if the
problem appears to be fixable with a limited amount of work (which,
when done properly, would have to involve changing some of the MPI
assembler primitives), it should be fixed.

Otherwise, the whole concept of secure memory should be dumped, and
the use of operating systems with encrypted swap space should be
recommended in the documentation.

(Everything IMHO, as always.)

> For most architectures, these variables probably live in registers almost
> all the time and are therefore not very susceptible to paging.  But This
> sort of relies on the compiler to be nice and the architecture to ave
> enough registers.

This is especially important since the most commonly used architecture
has only eight registers, each with different purposes, and two of
them are even not available in most situations.  Go figure. :-/

> A possible solution would be to either allocate some scratch space in
> secure memory or to pass in some pre-allocated scratch space.  The first
> will slow down ciphers significantly, and the second will change the API.
> A third possibility that might work is allocating them statically once. 

This code belongs the cryptographic library, and using static space
would make it unsafe for multithreading.  IMHO, this isn't the way to
go.