Path: csiph.com!weretis.net!feeder9.news.weretis.net!news.misty.com!news.iecc.com!.POSTED.news.iecc.com!nerds-end From: David Brown Newsgroups: comp.compilers Subject: Re: Crypto friendly optimization? Date: Sun, 25 Aug 2024 12:32:42 +0200 Organization: Compilers Central Sender: johnl%iecc.com Approved: comp.compilers@iecc.com Message-ID: <24-08-007@comp.compilers> References: <24-08-003@comp.compilers> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970"; logging-data="22551"; mail-complaints-to="abuse@iecc.com" Keywords: optimize Posted-Date: 25 Aug 2024 13:28:18 EDT X-submission-address: compilers@iecc.com X-moderator-address: compilers-request@iecc.com X-FAQ-and-archives: http://compilers.iecc.com In-Reply-To: <24-08-003@comp.compilers> Xref: csiph.com comp.compilers:3588 On 24/08/2024 23:14, John R Levine wrote: > On a cryptography list people were complaining that compiler optimizers > mess up their cryptographic code and make it insecure. They try to write > code that runs in constant time, or that erases all the temporary storage, > but the compilers say oh, that's dead code, or oh, I can make this faster > with a few branches and the erases go away and the constatnt time isn't. > > This 2018 paper from Cambridge discusses changes they made to Clang/LLVM > so they could tell the compiler what they wanted it to do. Has there been > other work on this topic? There are all sorts of compiler flags, extensions and attributes in gcc that can help here for security-critical code. I don't know the details for clang, but I believe there is a great deal of overlap with gcc here. Enables a lot of security-related flags to limit attacks. Stack scrubbing in general is useful here: There are type and function attributes that give more control over stack scrubbing. And inline assembly can be used to control effects. #include extern void get_password(char * p); extern void use_password(const char * p); void unsafe(void) { char password[80]; get_password(password); use_password(password); memset(password, 0, sizeof(password)); } void safer(void) { char password[80]; get_password(password); use_password(password); memset(password, 0, sizeof(password)); __asm__ ("" : "+m" (password)); } These are, of course, compiler-specific. But it covers gcc and clang, and the inline assembly works for old and new versions (stack scrubbing is a relatively new addition to the compilers).