Improperly scrubbing sensitive data from memory can compromise security.
Compiler optimization errors occur when:
1. Secret data is stored in memory.
2. The secret data is scrubbed from memory by overwriting its contents.
3. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.
Example: The following code reads a password from the user, uses the password to connect to a back-end mainframe and then attempts to scrub the password from memory using memset()
.
void GetData(char *MFAddr) {
char pwd[64];
if (GetPasswordFromUser(pwd, sizeof(pwd))) {
if (ConnectToMainframe(MFAddr, pwd)) {
// Interaction with mainframe
}
}
memset(pwd, 0, sizeof(pwd));
}
memset()
will be removed as a dead store because the buffer pwd
is not used after its value is overwritten [2]. Because the buffer pwd
contains a sensitive value, the application may be vulnerable to attack if the data is left memory resident. If attackers are able to access the correct region of memory, they may use the recovered password to gain control of the system.memset()
as dead code because the memory being written to is not subsequently used, despite the fact that there is clearly a security motivation for the operation to occur. The problem here is that many compilers, and in fact many programming languages, do not take this and other security concerns into consideration in their efforts to improve efficiency. [1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3230.2 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 14
[6] Standards Mapping - FIPS200 - (FISMA) MP
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[10] M. Howard Some Bad News and Some Good News Microsoft
[11] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press