...
Code Block | ||||
---|---|---|---|---|
| ||||
void getPassword(void) {
char pwd[64];
if (retrievePassword(pwd, sizeof(pwd))) {
/* Checking of password, secure operations, etc. */
}
memset(pwd, 0, sizeof(pwd));
*(volatile char*)pwd= *(volatile char*)pwd;
}
|
...
However, note that both calling functions and accessing volatile
-qualified objects can still be optimized out (while maintaining strict conformance to the standard), so this compliant solution still might not work in some cases. The memset_s()
function introduced in C11 is the preferred solution (see the following solution for more information). If memset_s()
function is not yet available on your implementation, this compliant solution is the best alternative, and can be discarded once supported by your implementation.
Compliant Solution (C11, Annex K)
The As of C11, tAnnex K of the C Standard includes a memset_s
function. Subclause K.3.7.4.1, paragraph 4 [ISO/IEC 9899:2011], states:
Unlike
memset
, any call to thememset_s
function shall be evaluated strictly according to the rules of the abstract machine as described in (5.1.2.3). That is, any call to thememset_s
function shall assume that the memory indicated bys
andn
may be accessible in the future and thus must contain the values indicated byc
.
Note that Annex K is conditionally normative, so it may not be available on all platforms.
Code Block | ||||
---|---|---|---|---|
| ||||
void getPassword(void) { char pwd[64]; if (retrievePassword(pwd, sizeof(pwd))) { /* Checking of password, secure operations, etc. */ } memset_s(pwd, 0, sizeof(pwd)); } |
...
If the compiler optimizes out memory-clearing code, an attacker can gain access to sensitive data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC06-C | Medium | Probable | Medium | P8 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| BADFUNC.MEMSET | Use of memset | ||||||
LDRA tool suite |
| 35 S, 57 S, 8 D, 65 D, 76 D, 105 D, I J, 3 J | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-MSC06-a | Avoid calls to memory-setting functions that can be optimized out by the compiler | ||||||
PC-lint Plus |
| 586 | Assistance provided | ||||||
PVS-Studio |
| V597, V712 |
Related Guidelines
Bibliography
[ISO/IEC 9899:2011] | Subclause 6.8.5, "Iteration Statements" Subclause K.3.7.4.1, "The memset_s Function" |
[MSDN] | "SecureZeroMemory" "Optimize (C/C++)" |
"Safe Clearing of Private Data" | |
[US-CERT] | "MEMSET" |
[Wheeler 2003] | Section 11.4, "Specially Protect Secrets (Passwords and Keys) in User Memory" |
...
...