[Pythonsafe-devel] Some notes about keeping passwords in memory
Status: Inactive
Brought to you by:
richbeales
Menu
▾
▴
[Pythonsafe-devel] Some notes about keeping passwords in memory
|
From: Bernhard S. <ber...@us...> - 2009-12-02 00:51:51
|
Hey, as pointed out in goals.txt of the project, one should think of the point "Avoid keeping cleartext passwords in memory". To prevent that some maleware scans the memory and our data, the passwords (and maybe other content) could be saved encrypted in memory, with a certain internal function that could be invoked, say, get_decrypted_password(). The problem is: either we use a fix key, then we can prevent incidental hits of memory scanning programs, or prevent that passwords appear in clear text in swap files, but if someone wants to attack this specific application, it doesn't help. One could also encrypt the data with the master key, but then, we either have to ask the user every time for that key if he or she wants display a password (that could become annoying), or we buffer the master key, which leads us back to the first problem. The same problem applies if we decide to extract only "basic" information from the encrypted file (like "url" and "username", but not "password"), and make a file access every time the user actually wants to copy or view a password. Then we still have to either prompt for the master password every time, or buffer it in memory. On the other hand, memory is large, and to scan for a password is like looking for the needle in the haystack -- but to be honest, I have no idea how it would work and how easy it is to write such software that does such things, and there might be differences on different operating systems as well... But here I found some good hints: http://www.cgisecurity.com/lib/protecting-sensitive-data.html The most stuff applies to C code, but also makes sense in Python, and for the main problem (that strings might stay in memory even after the reference was given up) there is even a suggestion of how to deal with that in Python (a bit cumbersome, though...) The most important things in short: * Avoid saving to plain ascii files, even temporarily (okay, everybody knows that, but just to be complete) * Make sure secure data is not swapped out to a page file or dumped to a hybernation file (don't know if that is possible in python...) * Do not use immutable strings for passwords, but character lists, in order to keep secure data in memory only as long as necessary. Some problem I see for the last point: if using a GUI with text widgets, their set_text() methods will probably accept strings only, and even if not, we never know if internally, they convert the given input to a string. Fortunately, it is possible to use the c-style version of clearing memory in Python: http://www.codexon.com/posts/clearing-passwords-in-memory-with-python Hence, the last point is solved; the first one can always be avoided, but for the second one, I do not know any such method in Python. If we keep passwords in memory only for a short time, we can minimize the risk that our data is dumped to files by the OS, but we have no guarantee that something does not end up in a swap file. So we should find a solution for this :) Bernhard |
