If a variable is declared as "volatile", the compiler by definition is
not supposed to make these kinds of optimizations.  I had issues one
time with some software I wrote for a hardware company to do a BIT
(built-in test) for memory errors and the compiler optimizing the store
and read of the memory.  After MUCH digging, I discovered "volatile".
It even changes the evaluations of conditional expressions.  Of course,
there are performance impacts.

As far as "root" and trojan versions of OpenSSL, picture an ISP doing
ecommerce.  If they have numerous administrators with root priveledes,
replacing the SSL library is detectable and not as likely to happen.
Digging around in memory, however, is less detectable.

Kevin



-----Original Message-----
From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 22, 2002 4:51 AM
To: [EMAIL PROTECTED]
Cc: Richard Levitte - VMS Whacker; [EMAIL PROTECTED]
Subject: Re: IMPORTANT: The release of 0.9.6h is postponed


On Fri, Nov 22, 2002 at 11:28:27PM +1100, mlh wrote:
> Rich Salz wrote:
> >>I still see it as a problem, since the data then
> >>potentially sticks around for a longer time, and is therefore
> >>retrievable for anyone who cracked root if that would happen.
> >
> >
> >Anyone who can crack root will just install a trojan openssl library,
> >anyway.  Seems little point in holding up a release for this.
> >     /r$
> 
> Agreed.  It's not even clear you can prevent this
> sort of optimisation.
> 
> Some good discussions at
> 
>
http://online.securityfocus.com/archive/1/300365/2002-11-12/2002-11-18/1
> 
>
http://online.securityfocus.com/archive/82/297827/2002-10-26/2002-11-01/
0

We did not conclusively investigate the risks and the options present.
That's why the release of 0.9.6h is postponed until we evaluated
the situation. 
0.9.6h is a maintenance release and I don't see any impact by postponing
it to next week.

Best regards,
        Lutz
-- 
Lutz Jaenicke
[EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to