Support
Articles and Tutorials
Policy
FAQ
Glossary
Products
Sax2 NIDS
Sax2 Screenshots
Buy Now
White Papers
Awards
Download
Contact Us

Consulting:

Technical Support:

Sales:

General Information:

 
 

Insecure Compiler Optimization
 

Abstract

Improperly scrubbing sensitive data from memory can compromise security.

Description

Compiler optimization errors occur when:

  • Secret data is stored in memory.
  • The secret data is scrubbed from memory by overwriting its contents.
  • The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.

Examples

Example: "Dead store removal"

Memory overwriting code is removed by optimizing compiler, which causes sensitive information left in the memory after its usage.

The following code reads a password from the user, uses the password to connect to a back-end mainframe and then attempts to scrub the password from memory using memset().

	 void GetData(char *MFAddr) { 
	 char pwd[64];
	 if (GetPasswordFromUser(pwd, sizeof(pwd))) {
	  if (ConnectToMainframe(MFAddr, pwd)) {
			  // Interaction with mainframe
		 }
	   }
	   memset(pwd, 0, sizeof(pwd));
	}

The code in the example will behave correctly if it is executed verbatim, but if the code is compiled using an optimizing compiler, such as Microsoft Visual C++