Hey,
as pointed out in goals.txt of the project, one should think of the
point "Avoid keeping cleartext passwords in memory".
To prevent that some maleware scans the memory and our data, the
passwords (and maybe other content) could be saved encrypted in memory,
with a certain internal function that could be invoked, say,
get_decrypted_password().
The problem is: either we use a fix key, then we can prevent incidental
hits of memory scanning programs, or prevent that passwords appear in
clear text in swap files, but if someone wants to attack this specific
application, it doesn't help.
One could also encrypt the data with the master key, but then, we either
have to ask the user every time for that key if he or she wants display
a password (that could become annoying), or we buffer the master key,
which leads us back to the first problem.
The same problem applies if we decide to extract only "basic"
information from the encrypted file (like "url" and "username", but not
"password"), and make a file access every time the user actually wants
to copy or view a password. Then we still have to either prompt for the
master password every time, or buffer it in memory.
On the other hand, memory is large, and to scan for a password is like
looking for the needle in the haystack -- but to be honest, I have no
idea how it would work and how easy it is to write such software that
does such things, and there might be differences on different operating
systems as well...
But here I found some good hints:
http://www.cgisecurity.com/lib/protecting-sensitive-data.html
The most stuff applies to C code, but also makes sense in Python, and
for the main problem (that strings might stay in memory even after the
reference was given up) there is even a suggestion of how to deal with
that in Python (a bit cumbersome, though...)
The most important things in short:
* Avoid saving to plain ascii files, even temporarily (okay, everybody
knows that, but just to be complete)
* Make sure secure data is not swapped out to a page file or dumped to
a hybernation file (don't know if that is possible in python...)
* Do not use immutable strings for passwords, but character lists, in
order to keep secure data in memory only as long as necessary.
Some problem I see for the last point: if using a GUI with text widgets,
their set_text() methods will probably accept strings only, and even if
not, we never know if internally, they convert the given input to a
string.
Fortunately, it is possible to use the c-style version of clearing
memory in Python:
http://www.codexon.com/posts/clearing-passwords-in-memory-with-python
Hence, the last point is solved; the first one can always be avoided,
but for the second one, I do not know any such method in Python. If we
keep passwords in memory only for a short time, we can minimize the risk
that our data is dumped to files by the OS, but we have no guarantee
that something does not end up in a swap file.
So we should find a solution for this :)
Bernhard
|
