data leakage – Compiler-induced information leaks/side-channels in cryptography implementations

In Cryptography Engineering Ferguson, Schneier and Kohno put a big emphasis on quality of code in order to prevent it from leaking information and from being vulnerable to memory corruption exploits.

Re-implementing cryptography, especially when open source libraries are already available, widely used and scrutinized; is usually said to be a recipe for disaster, but some times serious vulnerabilities are found on those. As a result some projects aim to simplify and clean them from bad and unused code to reduce the attack surface. Also, thanks to its aim to make it hard for programmers to write vulnerable code, rewriting some algorithms or protocols in Rust could also seem like a good idea.

However, even if top programmers with an ideal cryptography background manage to write perfect code, compilers in their default state still have a slight tendency to take instructions as suggestions rather than orders in the name of optimization and security.


Now, my doubts are the following:

  • What kinds of information leaks and side-channels could be caused by compilers alone?
  • What specific compiler features cause them and must be switched off to prevent them?

And, most importantly:

  • How can one check the resulting binaries accurately to make sure those side-channels and leaks are not present?