Re: Cleaning the pari-stack

Karim Belabas on Mon, 10 Sep 2012 16:48:52 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Cleaning the pari-stack

To: pari-users@pari.math.u-bordeaux.fr
Subject: Re: Cleaning the pari-stack
From: Karim Belabas <Karim.Belabas@math.u-bordeaux1.fr>
Date: Mon, 10 Sep 2012 16:48:44 +0200
Delivery-date: Mon, 10 Sep 2012 16:48:52 +0200
In-reply-to: <CAKOwFYWo0OyUO1K3yYpKW_v4UOEhr=BdO79dNsaLNTrxSMXvjw@mail.gmail.com>
Mail-followup-to: pari-users@pari.math.u-bordeaux.fr
References: <CAKOwFYWo0OyUO1K3yYpKW_v4UOEhr=BdO79dNsaLNTrxSMXvjw@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

* Manolo [2012-09-10 16:20]:
> I'm using pari-gp for building a small crypto-app. Even if it is a toy
> project, I want to do the things in the right way.
> 
> One big concern in cryptography is to wipe any sensitive material from
> memory as fast as possible, in particular, the stack should be cleaned
> often.

Beware that an even greater concern is to use strong pseudo-random number
generators. (Ours, based on Brent's XORGEN, are definitely not suitable
for key or nonce generation.)

> In pari-gp, we have the normal stack and the pari-stack. About this
> last one, we know how to free pari-objects via "gerepile"-family
> functions; but if these objects contain sensitive material, this is
> not zeroed; the memory is free to be reused, but it is not wiped and
> the sensitive material could some way be leaked off (perhaps due to a
> core dump?).
> 
> So, I think a possible solution is to call a burn_paristack() function
> every time a critical calculation is done. For example:
> 
> void burn_paristack()
> {
>   pari_sp ltop = avma, st_lim = stack_lim(ltop, 1);
>   size_t st_size = (ltop - st_lim)*sizeof(pari_sp);
>   char *dump;
> 
>   dump = stackmalloc(st_size);
>   bzero(dump, st_size);
>   avma = ltop;
> }
> 
> This way, calling to burn_paristack() zeroes half of the available
> room in the stack, wiping the information held by the last used
> objects.
> 
> Did I argue well? Did I miss something? May this scheme be optimized?

I'd use simply

void
burn_paristack() { bzero((void*)bot, avma - bot); }

(untested:-) to simply clear up the unused part of the stack.

In fact, we already provide the analogous

void
fill_stack(void)
{
  GEN x = ((GEN)bot);
  while (x < (GEN)avma) *x++ = 0xfefefefeUL;
}

whose purpose is not to wipe out information but to help debugging memory
corruptions (we can then hunt for the unlikely 0xfefefefe pattern in existing
objects).

Cheers,

    K.B.
-- 
Karim Belabas, IMB (UMR 5251)  Tel: (+33) (0)5 40 00 26 17
Universite Bordeaux 1          Fax: (+33) (0)5 40 00 69 50
351, cours de la Liberation    http://www.math.u-bordeaux1.fr/~belabas/
F-33405 Talence (France)       http://pari.math.u-bordeaux1.fr/  [PARI/GP]
`

Follow-Ups:
- Re: Cleaning the pari-stack
  - From: Manolo <mpancorbo@gmail.com>

References:
- Cleaning the pari-stack
  - From: Manolo <mpancorbo@gmail.com>

Prev by Date: Cleaning the pari-stack
Next by Date: Re: Cleaning the pari-stack
Previous by thread: Cleaning the pari-stack
Next by thread: Re: Cleaning the pari-stack
Index(es):
- Date
- Thread