[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)
Paul Moore
p.f.moore at gmail.com
Sat Jun 23 07:13:32 EDT 2018
On 23 June 2018 at 01:31, Ezequiel Brizuela [aka EHB or qlixed]
<qlixed at gmail.com> wrote:
> As all the string in python are immutable, is impossible to overwrite the
> value or to make a "secure disposal" (overwrite-then-free) of a string using
> something like:
[...]
> I propose to make the required changes on the string objects to add an
> option to overwrite the underlying buffer. To do so:
Is there any reason this could not be implemented as a 3rd party class
(implemented in C, of course) which subclasses str?
So you'd do
from safestring import SafeStr
a = SafeStr("my secret data")
... work with a as if it were a string
del a
When the refcount of a goes to zero, before releasing the memory, the
custom class wipes that memory.
There are obvious questions around
theres_a_copy_here = "prefix " + a + " suffix"
which will copy the secure data, but those issues will be just as much
of a problem with a change to the builtin string, unless you propose
some mechanism for propagating "secureness" from one value to another.
And then you get questions like, is a[0] still "secret"? What about
sha256(a)?
Having a mechanism for handling this seems like a good idea, but my
feeling is that even with a mechanism, handling secure data needs care
and specialised knowledge from the programmer, and supporting that is
better done with a dedicated class rather than having the language
runtime try to solve the problem automatically (which runs the risk
that a naive programmer expects the language to do the job, and then
*doesn't* think about the risks).
Paul
Paul
More information about the Python-ideas
mailing list