public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/107648] New: RFE: add an attribute for indicating security-sensitive data
@ 2022-11-11 20:38 dmalcolm at gcc dot gnu.org
0 siblings, 0 replies; only message in thread
From: dmalcolm at gcc dot gnu.org @ 2022-11-11 20:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107648
Bug ID: 107648
Summary: RFE: add an attribute for indicating
security-sensitive data
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
-fanalyzer implements -Wanalyzer-exposure-through-output-file, but it's
currently just a proof-of-concept, where the only source of "sensitive" data is
hardcoded as the result of the getpass function.
Consider "explicit_bzero":
https://man7.org/linux/man-pages/man3/bzero.3.html
It would be nice to have an attribute for marking the argument to
explicit_bzero as being security-sensitive, and the analyzer could perhaps then
walk backwards from the callsite, checking that the contents of the buffer
don't get exposed anywhere.
Similarly, this could perhaps be used for annotating e.g. security APIs where
private keys are passed in.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-11-11 20:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-11 20:38 [Bug analyzer/107648] New: RFE: add an attribute for indicating security-sensitive data dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).