[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Steve Barnes gadgetsteve at live.co.uk
Sat Jun 23 03:31:19 EDT 2018

On 23/06/2018 06:21, Nathaniel Smith wrote:
> On Fri, Jun 22, 2018 at 6:45 PM, Steven D'Aprano <steve at pearwood.info> wrote:
>> On Sat, Jun 23, 2018 at 01:33:59PM +1200, Greg Ewing wrote:
>>> Chris Angelico wrote:
>>>> Downside:
>>>> You can't say "I'm done with this string, destroy it immediately".
>>> Also it would be hard to be sure there wasn't another
>>> copy of the data somewhere from a time before you
>>> got around to marking the string as sensitive, e.g.
>>> in a file buffer.
>> Don't let the perfect be the enemy of the good.
> That's true, but for security features it's important to have a proper
> analysis of the threat and when the mitigation will and won't work;
> otherwise, you don't know whether it's even "good", and you don't know
> how to educate people on what they need to do to make effective use of
> it (or where it's not worth bothering).
> Another issue: I believe it'd be impossible for this proposal to work
> correctly on implementations with a compacting GC (e.g., PyPy),
> because with a compacting GC strings might get copied around in memory
> during their lifetime. And crucially, this might have already happened
> before the interpreter was told that a particular string object
> contained sensitive data. I'm guessing this is part of why Java and C#
> use a separate type.
> There's a lot of prior art on this in other languages/environments,
> and a lot of experts who've thought hard about it. Python-{ideas,dev}
> doesn't have a lot of security experts, so I'd very much want to see
> some review of that work before we go running off designing something
> ad hoc.
> The PyCA cryptography library has some discussion in their docs:
> https://cryptography.io/en/latest/limitations/
> One possible way to move the discussion forward would be to ask the
> pyca devs what kind of API they'd like to see in the interpreter, if
> any.
> -n
All good points - I would think that for this to be effective the 
string, or secure string, would need to be marked at create time and all 
operations on it would have to honour the wipe before free flag and 
include it forward in any copies made.

This needs to be implemented at a very low level so that, e.g.: adding 
to a string, (which makes a copy if the string is growing beyond the 
current allocation), will have to check for the flag add it to the new 
string, copy the expanded contents and then wipe the old before freeing 
it - any normal string which is being added to a secure string should 
probably get the flag added automatically as well. Of course adding or 
assigning a secure string to a normal string should automatically make 
the target string secure as well.

This sounds like a lot of overhead to be adding to every string 
operation secure or not.

That being the case it probably makes a lot of sense to use a separate 
base class - while this will result in a certain amount of bloat in 
software that makes use of it it will avoid the overhead of checking the 
flag on the vast majority of software which does not use it.

I do know that I have heard in the past of security breaches in both C & 
Pascal strings where the problem was tracked down to the "delete" 
mechanism being just setting the first byte to 0x00, (which in both 
cases would result in the length of the string being 0 but the contents 
being untouched in Pascal strings and only the first character being 
lost in C.
Steve (Gadget) Barnes
Any opinions in this message are my personal opinions and do not reflect 
those of my employer.

This email has been checked for viruses by AVG.

More information about the Python-ideas mailing list