bjorn3 opened Issue #1327:
- What is the feature or code improvement you would like to do in Cranelift? All stack memory and all registers should be clearable when requested by the user of Cranelift.
- What is the value of adding this in Cranelift? This is very useful for cryptographic libraries, where any possible secret leak is one too much.
Do you have an implementation plan, and/or ideas for data structures or
algorithms to use? https://internals.rust-lang.org/t/annotations-for-zeroing-the-stack-of-sensitive-functions-which-deal-in-transient-secrets/11588/8Have you considered alternative implementations? If so, how are they better
or worse than your proposal?
sunfishcode commented on Issue #1327:
This probably would be pretty straightforward to implement.
That said, it's important to keep in mind the limitations of such a feature. This wouldn't prevent operating systems from paging out stack pages to persistent storage, or from saving register state during a context switch or a system suspend. It wouldn't prevent libcalls that Cranelift makes implicitly to runtime libraries or libc from leaving state in their stack frames. It wouldn't prevent a longjmp from jumping past a stack frame, or pthread_kill from killing a thread before its frames can be cleared. It wouldn't prevent hardware from keeping copies of the old values in physical registers, caches, or other microarchitectural state. And it wouldn't protect from many varieties of side-channel attacks. And there might be other limitations I haven't thought of.
alexcrichton transferred Issue #1327:
- What is the feature or code improvement you would like to do in Cranelift? All stack memory and all registers should be clearable when requested by the user of Cranelift.
- What is the value of adding this in Cranelift? This is very useful for cryptographic libraries, where any possible secret leak is one too much.
Do you have an implementation plan, and/or ideas for data structures or
algorithms to use? https://internals.rust-lang.org/t/annotations-for-zeroing-the-stack-of-sensitive-functions-which-deal-in-transient-secrets/11588/8Have you considered alternative implementations? If so, how are they better
or worse than your proposal?
Last updated: Dec 23 2024 at 13:07 UTC