Bill Allombert on Mon, 10 Sep 2012 18:34:42 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Cleaning the pari-stack

On Mon, Sep 10, 2012 at 04:19:44PM +0200, Manolo wrote:
> I'm using pari-gp for building a small crypto-app. Even if it is a toy
> project, I want to do the things in the right way.
> One big concern in cryptography is to wipe any sensitive material from
> memory as fast as possible, in particular, the stack should be cleaned
> often.
> In pari-gp, we have the normal stack and the pari-stack. About this
> last one, we know how to free pari-objects via "gerepile"-family
> functions; but if these objects contain sensitive material, this is
> not zeroed; the memory is free to be reused, but it is not wiped and
> the sensitive material could some way be leaked off (perhaps due to a
> core dump?).

You are correct concerning the way gerepile() works, but you need to define
what are your security requirement precisely.

If you look a crypto application like gpg (GNU Privacy Gard), you will see
that it disable core dump using setrlimit() and that sensitive data are stored
in a dedicated memory pool which is locked in RAM using the mlock() system call
(or the MAP_LOCKED mmap flag) which forbid the kernel to write the data to the
swap device. This prevents the data to be on the hard disk after a power loss
for example.

Getting access to the RAM is much harder, but if you assume the attacker can do it,
then it is almost impossible to defend against it, because at some point your data
will have to be in RAM.

However overwriting the sensitive data as soon as you no more need them is still
good pratice, of course.