Re: Crypto friendly optimization?

On 24/08/2024 23:14, John R Levine wrote:
> On a cryptography list people were complaining that compiler optimizers
> mess up their cryptographic code and make it insecure. They try to write
> code that runs in constant time, or that erases all the temporary storage,
> but the compilers say oh, that's dead code, or oh, I can make this faster
> with a few branches and the erases go away and the constatnt time isn't.
>
> This 2018 paper from Cambridge discusses changes they made to Clang/LLVM
> so they could tell the compiler what they wanted it to do. Has there been
> other work on this topic?


There are all sorts of compiler flags, extensions and attributes in gcc
that can help here for security-critical code. I don't know the details
for clang, but I believe there is a great deal of overlap with gcc here.






<https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened>


Enables a lot of security-related flags to limit attacks.






Stack scrubbing in general is useful here:


<https://gcc.gnu.org/onlinedocs/gcc/Stack-Scrubbing.html>


There are type and function attributes that give more control over stack
scrubbing.




And inline assembly can be used to control effects.


#include <string.h>


extern void get_password(char * p);
extern void use_password(const char * p);


void unsafe(void) {
          char password[80];


          get_password(password);
          use_password(password);
          memset(password, 0, sizeof(password));
}


void safer(void) {
          char password[80];


          get_password(password);
          use_password(password);
          memset(password, 0, sizeof(password));
          __asm__ ("" : "+m" (password));
}


<https://godbolt.org/z/6vjeP8ac8>




These are, of course, compiler-specific. But it covers gcc and clang,
and the inline assembly works for old and new versions (stack scrubbing
is a relatively new addition to the compilers).

Return to the comp.compilers page.
Search the comp.compilers archives again.