Bug: sensitive data written to insecure memory

Andrew Archibald aarchiba at yahoo.com
Tue Apr 3 23:34:08 CEST 2001

In a number of the cryptographic algorithms (for example, cast5.c and
rijndael.c) sensitive data are written to temporary variables, which are
stored on the stack.  The stack does not seem to be locked into physical
RAM, so these variables caould get written out to swap.  In particular, the
Feistel-type ciphers tend to have a l and an r variable which hold the
partially encrypted block.  So when decryption is done, the last block ends
up on the stack in unencrypted form; swapping could easily record this to a
disk partition.  The local variables are also not scrubbed 

For most architectures, these variables probably live in registers almost
all the time and are therefore not very susceptible to paging.  But This
sort of relies on the compiler to be nice and the architecture to ave
enough registers.

A possible solution would be to either allocate some scratch space in
secure memory or to pass in some pre-allocated scratch space.  The first
will slow down ciphers significantly, and the second will change the API.
A third possibility that might work is allocating them statically once. 

Andrew Archibald

More information about the Gnupg-devel mailing list