Wiping out value of a variable from physical memory in PHP

Question

The general question is: Is it possible to remove value of the String variable from physical memory after that variable being unset in PHP?

The problem arised from certain requirements of security standards (there should be no way to dump data from memory to disk while processing certain vital data). According to "Is memory encrypted?" topic there is no good way to encrypt data in-memory.

So, when unsetting String variable in PHP you cannot say for sure that data in memory was overwritten. Same story about setting new value to variable.

Thus I'm interested if it is possible to wipe out variable value from memory without changing core code of unset method?

Answer 1

First of all, I'm not sure that wiping out the string will meet the security requirement you described, as one could still theoretically dump memory before the string is wiped anyway. But that's impossible to meet anyway, as you can't process data without having it in memory.

Anyway, if you want to ensure the string is wiped, I think the only way to do so in PHP is to loop through the string and modify each character: remember, the contents of memory do not go away until overwritten, even if you have no references to the variable and PHP GC has run.

I believe this will work:

for( $i=0; $i < strlen($str); $i++ )
    $str[$i] = 'x';

Answer 2

tl;dr: After testing thoroughly many combinations, it seems that the for loop overwriting each character clears/changes the string contents in memory. Just be careful where the initial contents come from, it might still be present in those variables! See the update bellow.

Did some tests with PHP 5.6:

<?php
     $cc = 'AAAABBBBCCCCDDDD';
     #v1:  unset($cc);
     #v2:  $cc=null;
     #v3:  for( $i=0; $i < strlen($cc); $i++ ) $cc[$i] = 'x';
     sleep(500); // enough time for taking script pid and run the memory dump
?>

Tried each version of the above script (#v1 enabled, #v2 enabled, #v3 enabled); Dump the memory of the process (see https://serverfault.com/a/408929/374467) and the 'AAAABBBBCCCCDDDD' string always shows up in the binary files generated (which contain the process memory). Also tested when $cc value is sent as a command line argument ($argv). Same result.

To date, I found NO reliable way to do this in PHP.

UPDATE

As suggested in the comments, using a string literal to initialize the variable might affect the results, as the literal might be held in memory. Thus I changed the script so that it takes an argument from cli and initializes the variable by applying str_rot13() on it, making sure the contents of the variable are new. I also added gc_collect_cycles() to force the garbage collection. So the test script looks like this:

<?php
     $cc = str_rot13($argv[1]);
     #v1:  unset($cc);
     #v2:  $cc=null;
     #v3:  for( $i=0; $i < strlen($cc); $i++ ) $cc[$i] = 'x';
     gc_collect_cycles();
     sleep(120); // enough time for taking script pid and run the memory dump
     echo "done \n";
?>

It seems that the first two methods (unset/null) won't clear the new value of $cc from memory (even with gc_collect_cycles on) BUT the for loop actually changes it! even if gc_collect_cycles is used or not.

Tested with PHP 7.2.20 (cli).

CAUTION You can still find the initial value of the argument ($argv) in memory!

Answer 3

So as far as I understood the problem is not in using unset() or PHP's garbage collector, but making sure that used memory is actually on physical level cleared?

Simple way - just set it to null before unsetting (or any other value for that matter) See What's better at freeing memory with PHP: unset() or $var = null

The hard and supid way would be to allocate all php memory with garbage, to make sure that its overwritten, but I'm not sure if virtual memory is fixed on predefined diapason, or changes based on process needs.