SecureZero & SecureBuffer Implementations for U++

[ismail-yilmaz]

Overview

This discussion proposes a secure memory handling utility for U++ applications: SecureZero and SecureBuffer<T>. These are designed for use cases involving sensitive data (e.g., cryptographic keys, passwords) that must be actively erased from memory before deallocation.

Goals

• Provide reliable, cross-platform secure memory zeroing (SecureZero).

• Ensure memory used by sensitive data is zeroed and locked against swapping (SecureBuffer<T>).

• Maintain safety and compatibility with U++ memory management.

---

SecureZero<T>

A template function that securely clears memory regions of trivially copyable types. It uses platform-specific and cryptographically secure mechanisms to ensure zeroing cannot be optimized out by the compiler.

Key Features

• Template-constrained to trivially copyable types via static_assert.

• Uses OPENSSL_cleanse() if OpenSSL 0.9.7+ is available.

• Fallback implementation uses volatile byte/dword writes to ensure compiler does not remove memory clearing.

• Adds an explicit memory barrier with std::atomic_thread_fence.

template<typename T> SecureZero(T ptr, size_t size); // size is the number of elements, not bytes
template<typename T> SecureZero(T& obj) // overload

---

SecureBuffer<T>

A RAII container almost identical to Upp::Buffer but for sensitive data, ensuring:

• Template-constrained to trivially copyable types via static_assert.

• Memory is allocated dynamically.

• Memory is locked via mlock/VirtualLock to prevent swapping.

• Memory is zeroed on destruction.

Interface Summary

template <class T>
class SecureBuffer : Moveable<SecureBuffer<T>>, NoCopy {
public:
	SecureBuffer()
	SecureBuffer(size_t size)
	SecureBuffer(std::initializer_list<T> init)
	SecureBuffer(SecureBuffer&& src)
	virtual ~SecureBuffer()

	SecureBuffer& operator=(SecureBuffer&& src)

	void        Alloc(size_t size)
	void		Clear();
	void        Zero()

	size_t      GetSize() const

	bool        IsEmpty() const

	operator T*()
	operator const T*() const
	T *operator~()
	const T *operator~() const
	T          *Get()
	const T    *Get() const
	T          *begin()
	const T    *begin() const

	T*          Begin()
	const T*    Begin() const

	T& operator[](size_t i)
	const T& operator[](size_t i) const
};

Highlights

• Implements move semantics with secure, automatic zeroing.

• Prevents copy semantics to avoid unsafe duplication.

• Memory locking is cross-platform (POSIX/Windows).

Platform-specific Zeroing + Locking

• Windows: Uses VirtualLock / VirtualUnlock.

• POSIX: Uses mlock / munlock.

---

Summary

This feature, if accepted, will add secure memory handling to U++ in a modular, reusable, and portable manner. It provides primitives necessary for applications requiring strong control over memory hygiene, such as password managers, secure communication tools, and cryptographic software.

Note: The SecureZero and SecureBuffer implementations, along with unit tests and examples, are ready. I believe they will be beneficial for U++, especially given the increasing security demands. If you agree, please let me know.

---

[ismail-yilmaz]

Following up on the previous discussion:

Implementation of SecureZero Function

The SecureZero template function provides a portable mechanism for securely clearing (zeroing) sensitive memory in a way that prevents the compiler from optimizing away the zeroing operation. This is critical for erasing secret or sensitive data such as cryptographic keys, passwords, or other confidential information from memory.

---

How It Works

• Type Constraints:
  SecureZero enforces that the type T must be both trivially copyable and trivially destructible via static_assert. This ensures the operation is safe and meaningful for raw memory zeroing without invoking complex destructors or custom copy semantics.

• Platform-Specific Backends:
  Depending on the target platform and available libraries, SecureZero selects the most appropriate secure zeroing method:

  1. Windows (PLATFORM_WIN32):
     Uses the native SecureZeroMemory API, which is guaranteed by Windows to never be optimized away.

  2. OpenSSL (Core/SSL package):
     Utilizes OpenSSL's OPENSSL_cleanse function, an industry-standard memory cleansing routine that is widely trusted in cryptographic contexts.

  3. POSIX with GCC/Clang and no OpenSSL:
     Defines a weak, noinline, and used ZeroMemoryImpl function that simply calls memset. Insipred by Ruby's implementation. The function pointer to ZeroMemoryImpl is marked volatile and invoked indirectly to prevent compiler optimizations that might elide the zeroing call.

  4. Fallback:
     If none of the above are available, a portable but less guaranteed "poor man's" fallback is used: zeroing the memory byte-by-byte through a volatile pointer and indirect function call to prevent optimization. A sequentially consistent memory fence (std::atomic_thread_fence) is issued to prevent instruction reordering.

---

Purpose of ZeroMemoryImpl

The weak symbol ZeroMemoryImpl serves as a fallback zeroing function on POSIX platforms when OpenSSL is not available. It:

• Is marked weak to allow an application or platform to override it with a more secure or optimized version if desired.
• Is marked noinline to prevent inlining, ensuring the call boundary remains, which is critical for the volatile pointer indirection technique to be effective.
• Is marked used to ensure the linker retains it even if it appears unused, preventing the compiler/linker from eliminating it.
• Simply calls memset(ptr, 0, nbytes) to perform the memory zeroing.

Because the SecureZero function calls ZeroMemoryImpl through a volatile function pointer, this prevents compilers like GCC and Clang from optimizing out the zeroing, which might otherwise happen if memset were called directly.

---

Code

#if defined(PLATFORM_POSIX) && !defined(OPENSSL_VERSION_NUMBER) && (defined(__GNUC__) || defined(__clang__))
	#define HAS_ZEROMEMORY_IMPL
	extern "C" __attribute__((weak, noinline, used)) void ZeroMemoryImpl(void* ptr, size_t nbytes) { memset(ptr, 0, nbytes); }
#else
	#undef HAS_ZEROMEMORY_IMPL
#endif

template <class T>
void SecureZero(T* ptr, size_t count)
{
    static_assert(std::is_trivially_copyable_v<T>
				&& std::is_trivially_destructible_v<T>,
					"Upp::SecureZero: T must be trivially copyable & destructible");

    if (!ptr || count == 0)
        return;

    const size_t nbytes = count * sizeof(T);

#if defined(PLATFORM_WIN32)
	// Windows native secure zeroing
    SecureZeroMemory(reinterpret_cast<LPVOID>(ptr), nbytes);

#elif defined(OPENSSL_VERSION_NUMBER)  && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
	// Try industry standard's tool (requires Core/SSL)
    OPENSSL_cleanse(reinterpret_cast<void*>(ptr), nbytes);

#elif (defined(__GNUC__) || defined(__clang__)) && defined(HAS_ZEROMEMORY_IMPL)
	// Weak pointers are NOT optimized out
    using ZeroFn = void(*)(void*, size_t);
    volatile ZeroFn fn = ZeroMemoryImpl;
    fn(reinterpret_cast<void*>(ptr), nbytes);
    std::atomic_thread_fence(std::memory_order_seq_cst);

#else
	// Portable "poor man's" fallback (not 100% guaranteed but very close - and slow)
    using Fn = void(*)(void*, size_t);
    volatile Fn fn = [](void* p, size_t l) {
        auto q = reinterpret_cast<volatile byte*>(p);
        while(l--)
			*q++ = 0;
    };
    fn(reinterpret_cast<void*>(ptr), nbytes);
    std::atomic_thread_fence(std::memory_order_seq_cst);
    
#endif
}

Summary

This design combines portability, industry-standard secure zeroing APIs where available, and a fallback mechanism to reduce the risk of sensitive data lingering in memory due to compiler optimizations.

[ismail-yilmaz]

After some due consideration, I decided to opt for OPENSSL_cleanse for a SecureZero impl. It is cross-platform, and reliable. Since these functions and classes are meant to be closely related with OpenSSL's crypto functions, requiring Core/SSL for such stuff would be more explicit and way to go.

template <class T>
void SecureZero(T* ptr, size_t count)
{
    static_assert(std::is_trivially_copyable_v<T>
				&& std::is_trivially_destructible_v<T>,
					"Upp::SecureZero: T must be trivially copyable & destructible");

    if(!ptr || count == 0)
        return;
    OPENSSL_cleanse(reinterpret_cast<void*>(ptr), count * sizeof(T));
}

Accordingly, a SecureBuffer impl. would look like this:

template <class T>
class SecureBuffer : Moveable<SecureBuffer<T>>, NoCopy {
	static_assert(std::is_trivially_copyable_v<T>
			   && std::is_trivially_destructible_v<T>,
				  "Upp::SecureBuffer: T must be trivially copyable & destructible");

public:
	SecureBuffer()                                       { size = 0; ptr = nullptr; }
	SecureBuffer(size_t size_)                           { New(size_); }
	SecureBuffer(SecureBuffer&& src)                     { size = src.size; ptr = src.ptr; src.ptr = nullptr; src.size = 0; }
	~SecureBuffer()                                      { Free(); }

	SecureBuffer& operator=(SecureBuffer&& src)          { Pick(pick(src));  return *this; }

	void        Alloc(size_t size)                       { Free(); New(size); }
	void		Clear()                                  { Free(); }
	void        Zero()                                   { SecureZero(ptr, size); };

	size_t      GetSize() const                          { return size; }

	bool        IsEmpty() const                          { return ptr == nullptr; }

	operator T*()					     { return ptr; }
	operator const T*() const		             { return ptr; }
	T *operator~()					     { return ptr; }
	const T *operator~() const			     { return ptr; }
	T          *Get()				     { return ptr; }
	const T    *Get() const				     { return ptr; }
	T          *begin()				     { return ptr; }
	const T    *begin() const			     { return ptr; }

	T*          Begin()                                  { return ptr;  }
	const T*    Begin() const                            { return ptr;  }

	T& operator[](size_t i)                              { ASSERT(i < size); return ptr[i]; }
	const T& operator[](size_t i) const                  { ASSERT(i < size); return ptr[i]; }


private:
	void New(size_t sz);
	void Free();
	void Pick(SecureBuffer&& src);
	void LockMemory();
	void UnlockMemory();

	T* ptr = nullptr;
	size_t size;
};

template<typename T>
void SecureBuffer<T>::New(size_t sz)
{
	size = 0;
	ptr  = nullptr;

	if(sz > 0) {
		size = sz;
		ptr = (T*) MemoryAlloc(size * sizeof(T));
		LockMemory();
	}
}

template<typename T>
void SecureBuffer<T>::Pick(SecureBuffer&& src)
{
	if(this != &src) {
		Free();
		ptr = src.ptr;
		size = src.size;
		src.ptr = nullptr;
		src.size = 0;
	}
}

template<typename T>
void SecureBuffer<T>::Free()
{
	if(ptr) {
        Zero();
        UnlockMemory();
        MemoryFree(ptr);
        ptr = nullptr;
        size = 0;
	}
}

template<typename T>
void SecureBuffer<T>::LockMemory()
{
	if(!ptr || !size)
		return;
#if defined(PLATFORM_WIN32)
	VirtualLock((LPVOID) ptr, size * sizeof(T));
#elif defined(PLATFORM_POSIX)
	mlock((void *) ptr, size * sizeof(T));
#else
	NEVER();
#endif
}

template<typename T>
void SecureBuffer<T>::UnlockMemory()
{
	if(!ptr || !size)
		return;
#if defined(PLATFORM_WIN32)
	VirtualUnlock((LPVOID) ptr, size * sizeof(T));
#elif defined(PLATFORM_POSIX)
	munlock((void *) ptr, size * sizeof(T));
#else
	NEVER();
#endif
}

Any thoughts?

[mirek-fidler]

Well, looks good...

[ismail-yilmaz]

Ok, then I'll clean-up the stuff and prepare a PR for SecureZero and SecureBuffer (+ docs, autotests).

[ismail-yilmaz]

Since this is merged (#272) I am closing the discussion.