Tentative Definition of the Secret Attribute in GCC

A critical challenge in C as a general-purpose language is the absence of the notion of secret data in its abstract machine. This results in information disclosure be poorly detected by compilers that lack the required semantics to model any vulnerability related to secrets leakage. Numerous dedicated tools have exists to overcome this limitation; each of which comes with its own annotation rules, tainting model, and more importantly, its own narrow scope for a specific disclosure vulnerability. Such discrepancy has created confusion for the concerned developers that are mostly unwilling to support multiple external tools, especially when they address one problem at a time. In this talk, we introduce the required C constructions to bring secrets to the GCC compiler through its system of attributes. The resulted framework, that we call GnuSecret, does not only define consistent notations and semantics to designate secrets directly in the Gnu-C language, but also propagates them throughout the program code by leveraging the symbolic execution engine embedded into the GCC Static Analyzer (GSA). Of particular interest, GnuSecret is not bound to a specific vulnerability, as its modular design allows it to virtually model any vulnerability related to the MITRE's CWE-200 and its children.