Groups | Search | Server Info | Login | Register

Groups > comp.compilers > #3588

Re: Crypto friendly optimization?

From David Brown <david.brown@hesbynett.no>
Newsgroups comp.compilers
Subject Re: Crypto friendly optimization?
Date 2024-08-25 12:32 +0200
Organization Compilers Central
Message-ID <24-08-007@comp.compilers> (permalink)
References <24-08-003@comp.compilers>

Show all headers | View raw

On 24/08/2024 23:14, John R Levine wrote:
> On a cryptography list people were complaining that compiler optimizers
> mess up their cryptographic code and make it insecure.  They try to write
> code that runs in constant time, or that erases all the temporary storage,
> but the compilers say oh, that's dead code, or oh, I can make this faster
> with a few branches and the erases go away and the constatnt time isn't.
>
> This 2018 paper from Cambridge discusses changes they made to Clang/LLVM
> so they could tell the compiler what they wanted it to do.  Has there been
> other work on this topic?

There are all sorts of compiler flags, extensions and attributes in gcc
that can help here for security-critical code.  I don't know the details
for clang, but I believe there is a great deal of overlap with gcc here.



<https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened>

Enables a lot of security-related flags to limit attacks.



Stack scrubbing in general is useful here:

<https://gcc.gnu.org/onlinedocs/gcc/Stack-Scrubbing.html>

There are type and function attributes that give more control over stack
scrubbing.


And inline assembly can be used to control effects.

#include <string.h>

extern void get_password(char * p);
extern void use_password(const char * p);

void unsafe(void) {
     char password[80];

     get_password(password);
     use_password(password);
     memset(password, 0, sizeof(password));
}

void safer(void) {
     char password[80];

     get_password(password);
     use_password(password);
     memset(password, 0, sizeof(password));
     __asm__ ("" : "+m" (password));
}

<https://godbolt.org/z/6vjeP8ac8>


These are, of course, compiler-specific.  But it covers gcc and clang,
and the inline assembly works for old and new versions (stack scrubbing
is a relatively new addition to the compilers).

Back to comp.compilers | Previous | NextPrevious in thread | Find similar

Thread

Crypto friendly optimization? John R Levine <johnl@taugh.com> - 2024-08-24 17:14 -0400
  Re: Crypto friendly optimization? Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2024-08-24 16:33 -0700
    Re: Crypto friendly optimization? Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2024-08-24 20:55 -0700
    Re: Crypto friendly optimization? anton@mips.complang.tuwien.ac.at - 2024-08-25 16:06 +0000
      Re: Crypto friendly optimization? David Brown <david.brown@hesbynett.no> - 2024-08-25 21:12 +0200
      Re: Crypto friendly optimization? Philipp Klaus Krause <pkk@spth.de> - 2025-04-05 19:50 +0200
  Re: Crypto friendly optimization? Ian Lance Taylor <ianlancetaylor@gmail.com> - 2024-08-24 20:14 -0700
  Re: Crypto friendly optimization? David Brown <david.brown@hesbynett.no> - 2024-08-25 12:32 +0200

csiph-web