Re: how to avoid a memset() optimization

Francis Wai <fwai@rsasecurity.com> wrote:


> In a recent article (http://online.securityfocus.com/archive/82/297827),
> Peter Gutmann raised a concern which has serious implications in
> secure programming. His example, along the lines of,
>
> int main()
> {
> char key[16];
> strcpy(key, "whatever");
> encrpts(key);
> memset(key, 0, 16);
> }
>
> where memset() was optimized away because memset() is the last
> expression before the next sequence point and that its side-effect is
> not needed and that the subject of memset() is an auto variable. ...
>
> Various suggestions have been made, such as declaring the variable
> volatile and having a scrub memory function in a file of its own.


> [Declaring the array volatile is the right way to do it. The reason
> volatile exists is to tell the compiler not to do otherwise valid
> optimizations. -John]


Which is good news for the C/C++ crowd (at least those with compliant
compilers), but what about compilers for other languages?
[If they have something like volatile, use it. If not, you're on your
own. -John]

Return to the comp.compilers page.
Search the comp.compilers archives again.