Support
Eng
òÕÓ
Company
Home
Services
Solutions
Documentation
News and Events
 
 
 
Knowledgebase
Downloads
Glossary
Ask a Question
Search:     Advanced search
SHALB.com / Security Knowledgebase / Web Application Security / Vulnerability / Environmental Vulnerability / Insecure Compiler Optimization
server monitoring

Insecure Compiler Optimization
Article ID: 142
Last updated: 08 May, 2008
Print
Email to friend
Views: 264
Posted: 08 May, 2008
by: Tech Pubs S.
Updated: 08 May, 2008
by: Tech Pubs S.

Insecure Compiler Optimization

Abstract

Improperly scrubbing sensitive data from memory can compromise security.

Description

Compiler optimization errors occur when:

  • Secret data is stored in memory.
  • The secret data is scrubbed from memory by overwriting its contents.
  • The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.

Examples

Example: "Dead store removal"

Memory overwriting code is removed by optimizing compiler, which causes sensitive information left in the memory after its usage.

The following code reads a password from the user, uses the password to connect to a back-end mainframe and then attempts to scrub the password from memory using memset().

	 void GetData(char *MFAddr) { 
	 char pwd[64];
	 if (GetPasswordFromUser(pwd, sizeof(pwd))) {
	  if (ConnectToMainframe(MFAddr, pwd)) {
			  // Interaction with mainframe
		 }
	   }
	   memset(pwd, 0, sizeof(pwd));
	}

The code in the example will behave correctly if it is executed verbatim, but if the code is compiled using an optimizing compiler, such as Microsoft Visual C++
This article was:   Helpful | Not Helpful
Prev   Next
Information leak through serialization     J2EE Misconfiguration: Insecure Transport

server monitoring

¿ 2010 "SHALB.com" All rights reserved
SHALB Home
Services
Solutions
Documentation
News and Events