|
|
Boost : |
Subject: Re: [boost] [xint] Boost.XInt formal review
From: Nevin Liber (nevin_at_[hidden])
Date: 2011-03-12 01:51:31
On 11 March 2011 18:51, Chad Nelson <chad.thecomfychair_at_[hidden]> wrote:
> That was brought up during the review this week. I plan to implement
> much safer zeroing code than is presently in there now,
How? Short of platform-specific extensions (which basically inhibit the
optimizer) or waiting around for the next C standard (with memset_s), I'm
not seeing it.
A discussion of this issue can be found at <
https://www.securecoding.cert.org/confluence/display/cplusplus/MSC06-CPP.+Be+aware+of+compiler+optimization+when+dealing+with+sensitive+data>,
where their conclusion is "However, it should be noted that both calling
functions and accessing volatile qualified objects can still be optimized
out (while maintaining strict conformance to the standard), so the above may
still not work."
and provide a
> way for people to add their own if they feel that my implementation is
> insufficient.
>
Either you are making a guarantee or you aren't. If you aren't, it worse
than not doing anything at all, as it gives people a false sense of
security.
>
> > This stuff is hard to get right. You are better off not implementing
> > it.
>
> On the contrary. It's *because* it's hard to get right that it belongs
> in a library.
>
By experts (and even they aren't perfect). When non-experts do it, we get
vulnerabilities.
-- Nevin ":-)" Liber <mailto:nevin_at_[hidden]> (847) 691-1404
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk