[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Paul Moore p.f.moore at gmail.com
Sat Jun 23 07:13:32 EDT 2018

On 23 June 2018 at 01:31, Ezequiel Brizuela [aka EHB or qlixed]
<qlixed at gmail.com> wrote:
> As all the string in python are immutable, is impossible to overwrite the
> value or to make a "secure disposal" (overwrite-then-free) of a string using
> something like:
>   I propose to make the required changes on the string objects to add an
> option to overwrite the underlying buffer. To do so:

Is there any reason this could not be implemented as a 3rd party class
(implemented in C, of course) which subclasses str?

So you'd do

from safestring import SafeStr

a = SafeStr("my secret data")
... work with a as if it were a string
del a

When the refcount of a goes to zero, before releasing the memory, the
custom class wipes that memory.

There are obvious questions around

theres_a_copy_here = "prefix " + a + " suffix"

which will copy the secure data, but those issues will be just as much
of a problem with a change to the builtin string, unless you propose
some mechanism for propagating "secureness" from one value to another.
And then you get questions like, is a[0] still "secret"? What about

Having a mechanism for handling this seems like a good idea, but my
feeling is that even with a mechanism, handling secure data needs care
and specialised knowledge from the programmer, and supporting that is
better done with a dedicated class rather than having the language
runtime try to solve the problem automatically (which runs the risk
that a naive programmer expects the language to do the job, and then
*doesn't* think about the risks).



More information about the Python-ideas mailing list