![]() | Secure Quick Reliable Login | |
A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. |
![]() |
(During a security audit the OpenSSL compiler was found to be silently removing the programmers' deliberate zeroing of security-sensitive buffers containing crypto keys. After being zeroed the buffers were released to the system and the compiler saw that their zeroed values were never being used before release . . . so it “optimized out” the “unnecessary” code.)
Despite some solid reasoning, that's not why I wrote SQRL in assembly language. SQRL is written in assembly language because, for the sort of code I generally write, it's the language I prefer. I began programming in assembly language in 1970 ‑ 44 years before I wrote SQRL. Through the intervening decades I've written a great deal of code in many languages, but I keep coming back to assembly (at least for CISC architectures).
The idea of “assembly language” often puts people off because assembly language is so often written so as to be virtually incomprehensible. However, as the sample routine above, and all of my published SQRL code demonstrates, that's not the way I code in any language.
I am publishing all of the interesting parts of SQRL's code, not because I expect anyone to re-assemble it, as is, into another working application, but because a project's implementation code is always the final arbiter and the ultimate specification of the way a system functions. If I were to somewhat carelessly write a description of something looping, I might leave some ambiguity about whether the loop's bounds include or exclude its endpoints. But the code will know.
Over the decades my code has become highly personalized and idiomatic. For example, the sample above shows a line whose operation is “halve edx” and another as “zero eax”. But “halve” and “zero” are not Intel operation codes, nor mnemonics for opcodes. Rather, “halve” and “zero” are macros for shift right one bit, and xor a register with itself, respectively. I use “halve” and “zero” because those pseudo-operations exactly convey the meaning of the underlying code. They describe what I want to accomplish with the code and significantly increase its overall legibility and maintainability. While this is great for using code to communicate intention, the downside is that my code cannot be easily re-assembled as it is. My own large and complex set of include files and code libraries have evolved over the years in what has always been a closed-source environment.
So it is not my intention to publish an entire open-source build-your-own SQRL kit as a means of proving that GRC's executable code does not differ from its published source. If you do not trust that I have created the most secure solution possible then you would be well advised to use an open-source solution created by someone whom you do trust. My intention and reason for publishing as much of SQRL's code as would be useful to other developers, is specifically to aid others who are operating in an open source mode to create wholly compatible and smoothly interacting solutions. Reading and studying the code I publish, which comes directly from inside SQRL, will help any other developer to understand the solutions I designed and implemented for SQRL.
With all that said, it is my intention to publish the source code for virtually everything that would be of interest to anyone interested in creating a SQRL client or server implementation.
![]() | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Aug 02, 2015 at 14:17 (2,524.06 days ago) | Viewed 2 times per day |