Erasing passwords from ram?

Cym13 cpicard at openmailbox.org
Wed May 1 22:14:52 UTC 2019 

On Tuesday, 30 April 2019 at 08:15:15 UTC, Dukc wrote:
> I am currently programming a server. So I got the idea that 
> after I've generated all the hashes I need from a password, I 
> want to erase it from RAM before discarding it, just to be sure 
> it won't float around if the server memory is exposed to 
> spyware by some buffer overflow. Is this wise caution, or just 
> being too paranoid?
>
> And if it is worthwhile, do I have to do this:
> ```
> foreach(ref part; cast(ubyte[]) rootPassword) 
> volatileStore(&part, 0);
> ```
>
> Or, can I rely on that the compiler won't optimize this out?
> ```
> rootPassword[] = '\0'
> ```
>
> `rootPassword` is allocated on the heap, but only locally 
> referred to.

There are very few relevant threat models where removing a 
password from RAM is an adequate solution, I'm not sure it's 
worth the trouble.

For comparison one case where it's considered important is 
removing the master password from a password manager from RAM to 
prevent another person finding the computer unlocked to recover 
it by memory inspection (which it would have the rigth to do 
since the process would be from the same user).
That's quite specific and a server isn't nearly as exposed.

That said, if you want to remove it, make sure to audit all 
functions that use it from the moment it enters memory to check 
that they don't make a copy for some reason (or use a type that 
doesn't allow copies). It's no use removing it at one place if 
it's still at another. In particular a pattern I see often is 
that you have a function that reads the password from a 
file/stdin/whatever onto the stack and sets on the heap the 
object you'll use throughout the program then returns. You will 
think of checking the use of that object, but may forget to clear 
the setter's buffer before returning leaving it in a stack's 
frame. You should also make sure that your compiler isn't 
recognizing that this part of memory isn't used later and 
optimizing away the overwrite call.

This is lots of work for a vulnerability that should not be there 
and may not lead to memory disclosure even if it is present. I'd 
rather focus on mitigating that threat by keeping boundchecking 
on, writing @safe code etc.

More information about the Digitalmars-d-learn mailing list