Date: Thu, 2 May 2024 18:34:47 +0100
On Thu, 2 May 2024 at 18:29, Jonathan Wakely <cxx_at_[hidden]> wrote:
>
>
> On Thu, 2 May 2024 at 18:11, Jens Maurer <jens.maurer_at_[hidden]> wrote:
>
>>
>>
>> On 26/01/2024 13.29, Jonathan Wakely via Liaison wrote:
>> > - memset_explicit
>> > I assume we want this.
>>
>> I can't see how to specify these effects in the C++ abstract machine.
>> If your array goes out-of-scope after the memset, there's no way to
>> normatively prevent the dead-store elimination.
>>
>
> What about defining it in terms of writes to volatile objects?
>
That isn't even a terrible abuse of volatile semantics, because the
observable side effects of writing to that memory really do matter. The
entire purpose is to ensure that any secrets in those memory locations are
not visible if there are reads that happen outside the abstract machine
(e.g. reading those bytes after the object has gone out of scope, because
exploit code doesn't care about our stinking "rules" and whether such reads
would be undefined). Volatile semantics seem quite appropriate for writes
that are non-elidable side effects and reads that happen outside the
abstract machine.
>
>
> On Thu, 2 May 2024 at 18:11, Jens Maurer <jens.maurer_at_[hidden]> wrote:
>
>>
>>
>> On 26/01/2024 13.29, Jonathan Wakely via Liaison wrote:
>> > - memset_explicit
>> > I assume we want this.
>>
>> I can't see how to specify these effects in the C++ abstract machine.
>> If your array goes out-of-scope after the memset, there's no way to
>> normatively prevent the dead-store elimination.
>>
>
> What about defining it in terms of writes to volatile objects?
>
That isn't even a terrible abuse of volatile semantics, because the
observable side effects of writing to that memory really do matter. The
entire purpose is to ensure that any secrets in those memory locations are
not visible if there are reads that happen outside the abstract machine
(e.g. reading those bytes after the object has gone out of scope, because
exploit code doesn't care about our stinking "rules" and whether such reads
would be undefined). Volatile semantics seem quite appropriate for writes
that are non-elidable side effects and reads that happen outside the
abstract machine.
Received on 2024-05-02 17:36:09