If a variable is declared as "volatile", the compiler by definition is not supposed to make these kinds of optimizations. I had issues one time with some software I wrote for a hardware company to do a BIT (built-in test) for memory errors and the compiler optimizing the store and read of the memory. After MUCH digging, I discovered "volatile". It even changes the evaluations of conditional expressions. Of course, there are performance impacts.
As far as "root" and trojan versions of OpenSSL, picture an ISP doing ecommerce. If they have numerous administrators with root priveledes, replacing the SSL library is detectable and not as likely to happen. Digging around in memory, however, is less detectable. Kevin -----Original Message----- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Friday, November 22, 2002 4:51 AM To: [EMAIL PROTECTED] Cc: Richard Levitte - VMS Whacker; [EMAIL PROTECTED] Subject: Re: IMPORTANT: The release of 0.9.6h is postponed On Fri, Nov 22, 2002 at 11:28:27PM +1100, mlh wrote: > Rich Salz wrote: > >>I still see it as a problem, since the data then > >>potentially sticks around for a longer time, and is therefore > >>retrievable for anyone who cracked root if that would happen. > > > > > >Anyone who can crack root will just install a trojan openssl library, > >anyway. Seems little point in holding up a release for this. > > /r$ > > Agreed. It's not even clear you can prevent this > sort of optimisation. > > Some good discussions at > > http://online.securityfocus.com/archive/1/300365/2002-11-12/2002-11-18/1 > > http://online.securityfocus.com/archive/82/297827/2002-10-26/2002-11-01/ 0 We did not conclusively investigate the risks and the options present. That's why the release of 0.9.6h is postponed until we evaluated the situation. 0.9.6h is a maintenance release and I don't see any impact by postponing it to next week. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
