tarcieri
commented
10 months ago I would suggest opening issues specific to the crates in question. You've opened this issue on our utilities repo, which doesn't have anything to do with the algorithms in question.
Please see a previous issue on the aes crate here: https://github.com/RustCrypto/block-ciphers/issues/385
An attacker performing a memory dump...
An attacker with a memory read oracle is generally outside our threat model. Such an attacker can also read plaintexts out of memory, entirely bypassing anything to do with encryption.
If you are simply worried about secrets left on the stack, per the above issue that is not something we can easily handle at a library level. Since LLVM doesn't have any notion of secrets and can freely spill whatever values it wants onto the stack, there is often very little we can do.
See this IRLO thread: https://internals.rust-lang.org/t/rustc-copying-cryptographic-keys-onto-the-stack-instead-of-using-them-via-pointer/19625
If you are concerned about secrets left on the stack after a cryptographic operation, you need some mechanism to clear the stack after such operations. One option might be using something like Boost or libfringe to allocate a stack for running cryptographic operations, then zeroizing that stack after the operation completes.
However, these sort of heavy-handed solutions to stack clearing are not something we can easily integrate at a library level.
Hello, We have uncovered that various sensitive elements manipulated by cryptographic algorithms are not correctly deleted in memory after their use. An attacker performing a memory dump after an execution of a cryptographic mechanism and analysing its content is able to achieve the following: • After an asymmetric encryption/decryption execution, an attacker can retrieve residues that allow obtaining the encryption (and/or authentication) key, for example with round keys. In additions, pieces of the plaintext message can also be recovered, • After an execution of a cryptographic mechanism using a private key, an attacker can recover residues that allow obtaining the private key. Otherwise, in the case of RSA decryption, pieces of the plaintext message can also be recovered, • After an execution of a hash function or a password derivation mechanism, an attacker can recover message or password residues in plaintext. It can retrieve them directly or by reconstructing them from intermediate values.