[cfe-dev] Zero'ing Registers on Function Return

Russell Harmon eatnumber1 at google.com
Thu Sep 11 19:30:39 PDT 2014


I've been thinking about the issues with securely zero'ing buffers that
Colin Percival discusses in his blog article
<http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html>,
and I think I'd like to take a stab at fixing it in clang. Here's my
proposal:

Add a function attribute, say __attribute__((clear_regs_on_return)) which
when a thus annotated function returns will zero all callee owned registers
and spill slots. Then, all unused caller owned registers will be
immediately cleared by the caller after return.

As for why, I'm concerned with the case where a memory disclosure
vulnerability exposes all or a portion of sensitive data via either spilled
registers or infrequently used registers (xmm). If an attacker is able to
analyze a binary for situations wherein sensitive data will be spilled,
leveraging a memory disclosure vulnerability it's likely one could craft an
exploit that reveals sensitive data.

What does the list think?
-Russ Harmon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140912/b1354553/attachment.html>


More information about the cfe-dev mailing list