<div dir="ltr">Dear Gregory,<div><br></div><div>Have you tried FlowTracker?</div><div><br></div><div><a href="http://cuda.dcc.ufmg.br/flowtracker/">http://cuda.dcc.ufmg.br/flowtracker/</a></div><div><br></div><div>It does something very similar to what you describe at compiled-code level by using LLVM, and can be used offline as well.</div><div><br></div><div>Feedback is welcome!</div><div><br></div><div>Best,<br><div class="GmSign"><div dir="ltr">--<br>Diego de Freitas Aranha<br>Institute of Computing - University of Campinas<br><a href="http://www.ic.unicamp.br/~dfaranha" target="_blank">http://www.ic.unicamp.br/~dfaranha</a></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Oct 1, 2015 at 6:25 PM Gregory Maxwell <<a href="mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Oct 1, 2015 at 5:48 PM, Trevor Perrin <<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>> wrote:<br>
> Great report by Steven Galbraith on last week's workshop (plus a panel<br>
> transcript!), and link to the slides. Lots of good reading:<br>
><br>
> <a href="https://ellipticnews.wordpress.com/2015/10/01/ecc-2015-bordeaux-france-september-28-30-2015/" rel="noreferrer" target="_blank">https://ellipticnews.wordpress.com/2015/10/01/ecc-2015-bordeaux-france-september-28-30-2015/</a><br>
<br>
<br>
"Peter Schwabe gave a stimulating talk about the problem of using<br>
automated tools to prove the correctness and security of crypto<br>
software. He demonstrated how the valgrind profiling tool can be used<br>
on real crypto code, but emphasised that such tools create a massive<br>
overhead for software developers."<br>
<br>
I'm interested in this-- in libsecp256k1 in the past we've used<br>
valgrind by setting secret data to 'uninitialized' with the memcheck<br>
macros and then valgrind whines about conditional branches on the<br>
secret data. This is far from complete, but not bad automated backstop<br>
on boneheaded mistakes. I'm wondering if it was just something like<br>
this, or something somewhat more advanced?<br>
<br>
In theory valgrind could be instrumented to catch any leak-prone<br>
operations on secret data this way... but creating a new valgrind<br>
checker is a somewhat daunting prospect.<br>
_______________________________________________<br>
Curves mailing list<br>
<a href="mailto:Curves@moderncrypto.org" target="_blank">Curves@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/curves" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/curves</a><br>
</blockquote></div>