[cfe-dev] Zero'ing Registers on Function Return

[Szabolcs Nagy]

* Russell Harmon <eatnumber1 at google.com> [2014-09-12 17:02:16 +0000]:
> I'm somewhat of a fan of Paul's solution - disallowing calls to non
> annotated functions.
> 
> Would clearing the stack implicitly help all that much if the programmer
> has already properly cleared the sensitive via a call to memset_s?
> 
> I was wrong in saying to clear the caller owned registers, although we
> should also clear all the argument registers on return.

other issues with this function attribute approach:

on signals all registers are saved on the stack (or somewhere
else if sigaltstack was used)

so if you absolutely want to avoid info leak then you have to
remember to mask all signals (and disable thread cancellation)
(this affects the self-test trick as well)

a possible mitigation of this is (linux) kernel hardening:
make sigreturn always clean up after itself (i'm not sure if this
can break some tools though)

there are other minor issues if floating point arithmetics is used
(info leaking through fenv) but that's not much different than
writing static or thread local storage from the annotated function
(it's just less obvious)

> and in my opinion saying that a program shouldn't perform ub isn't really a
> sound argument to begin with.

you misunderstood the point i was trying to make:

if you extend c with new semantics that is only observable
when ub is invoked, you will have a hard time specifying it