views:

250

answers:

3

Hi,

I need to store a user's password for a short period of time in memory. How can I do so yet not have such information accidentally disclosed in coredumps or tracebacks? Is there a way to mark a value as "sensitive", so it's not saved anywhere by a debugger?

+2  A: 

No way to "mark as sensitive", but you could encrypt the data in memory and decrypt it again when you need to use it -- not a perfect solution but the best I can think of.

Alex Martelli
+2  A: 
  • XOR with a one-time pad stored separately
  • always store salted hash rather than password itself

or, if you're very paranoid about dumps, store unique random key in some other place, e.g. i a different thread, in a registry, on your server, etc.

ilya n.
+8  A: 

Edit

I have made a solution that uses ctypes (which in turn uses C) to zero memory.

import sys
import ctypes

def zerome(string):
    location = id(string) + 20
    size     = sys.getsizeof(string) - 20

    memset =  ctypes.cdll.msvcrt.memset
    # For Linux, use the following. Change the 6 to whatever it is on your computer.
    # memset =  ctypes.CDLL("libc.so.6").memset

    print "Clearing 0x%08x size %i bytes" % (location, size)

    memset(location, 0, size)

I make no guarantees of the safety of this code. It is tested to work on x86 and CPython 2.6.2. A longer writeup is here.

Decrypting and encrypting in Python will not work. Strings and Integers are interned and persistent, which means you are leaving a mess of password information all over the place.

Hashing is the standard answer, though of course the plaintext eventually needs to be processed somewhere.

The correct solution is to do the sensitive processes as a C module.

But if your memory is constantly being compromised, I would rethink your security setup.

Unknown
This is right. If you /ever/ read the password into a Python object, there is the potential for it being compromised by a dump. Even using C isn't perfect (you can still freeze the program and use a kernel-level debugger), but it should be good enough.
Matthew Flaschen