Karim Belabas on Mon, 10 Sep 2012 16:48:52 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Cleaning the pari-stack

* Manolo [2012-09-10 16:20]:
> I'm using pari-gp for building a small crypto-app. Even if it is a toy
> project, I want to do the things in the right way.
> One big concern in cryptography is to wipe any sensitive material from
> memory as fast as possible, in particular, the stack should be cleaned
> often.

Beware that an even greater concern is to use strong pseudo-random number
generators. (Ours, based on Brent's XORGEN, are definitely not suitable
for key or nonce generation.)

> In pari-gp, we have the normal stack and the pari-stack. About this
> last one, we know how to free pari-objects via "gerepile"-family
> functions; but if these objects contain sensitive material, this is
> not zeroed; the memory is free to be reused, but it is not wiped and
> the sensitive material could some way be leaked off (perhaps due to a
> core dump?).
> So, I think a possible solution is to call a burn_paristack() function
> every time a critical calculation is done. For example:
> void burn_paristack()
> {
>   pari_sp ltop = avma, st_lim = stack_lim(ltop, 1);
>   size_t st_size = (ltop - st_lim)*sizeof(pari_sp);
>   char *dump;
>   dump = stackmalloc(st_size);
>   bzero(dump, st_size);
>   avma = ltop;
> }
> This way, calling to burn_paristack() zeroes half of the available
> room in the stack, wiping the information held by the last used
> objects.
> Did I argue well? Did I miss something? May this scheme be optimized?

I'd use simply

burn_paristack() { bzero((void*)bot, avma - bot); }

(untested:-) to simply clear up the unused part of the stack.

In fact, we already provide the analogous

  GEN x = ((GEN)bot);
  while (x < (GEN)avma) *x++ = 0xfefefefeUL;

whose purpose is not to wipe out information but to help debugging memory
corruptions (we can then hunt for the unlikely 0xfefefefe pattern in existing


Karim Belabas, IMB (UMR 5251)  Tel: (+33) (0)5 40 00 26 17
Universite Bordeaux 1          Fax: (+33) (0)5 40 00 69 50
351, cours de la Liberation    http://www.math.u-bordeaux1.fr/~belabas/
F-33405 Talence (France)       http://pari.math.u-bordeaux1.fr/  [PARI/GP]