5

Say i store a password in plain text in a variable called passWd as a string. How does python release this variable once i discard of it (for instance, with del passWd or passWd= 'new random data')?

Is the string stored as a byte-array meaning it can be overwritten in the memoryplace that it originally existed or is it a fixed set in a memory area which can't be modified and there for when assining a new value a new memory area is created and the old area is discareded but not overwritten by null?

I'm questioning how Python implements the safety of memory areas and would like to know more about it, mainly because i'm curious :)

From what i've gathered so far, using del (or __del__) causes the interpreter to not release memory areas of that variable automaticly which can cause issues, and also i'm not sure that del is so thurrow on deleting the values. But that's just from what i've gathered and not something in black or white :)

The main reason for me asking, is I'm intending to write a hand-over application that gets a string, does some I/O, passes it along to another subsystem (bootloader for raspberry pi for instance) and the interface is written in Python (how odd that must sound in some peoples ears..) and i'm not worried that the data is compromised during the I/O calculations but that a memory dump might be occuring in between the two subsystem handovers. or if the system is frozen (say a hiberation) say 20min after the system is booted and i removed the variable as fast as i could, but somehow it's still in the memory despite me doing a del passWd :)

(Ps. I've asked on Superuser, they refered me here aand i'm sorry for poor grammar!)

Torxed
  • 22,866
  • 14
  • 82
  • 131
  • See http://docs.python.org/2/c-api/memory.html – Martijn Pieters Apr 09 '13 at 14:43
  • I've read all that and if i'm not to unfamilar with C it just assigns a memory area via malloc, do some stuff with it and release it.. it doesn't really re-write what's left in that memory area after `free()` is called? – Torxed Apr 09 '13 at 14:44
  • 1
    It's just freed. The memory *may* be used by something else but there is no guarartee that it will. – Martijn Pieters Apr 09 '13 at 14:45
  • Ok that's bad from a security standpoint, seeing how a string is not immutable making it easy to do in-place replacement of the data is could just do `passWd = '...'` but i'm not sure that it actually replaces the whole memory allocation even if i check the length of the variable first.. – Torxed Apr 09 '13 at 14:56
  • Strings are immutable, you cannot alter them. You can *replace* their reference, but they are **not** mutable. – Martijn Pieters Apr 09 '13 at 14:57
  • 2
    Your understanding of how Python works is fundamentally flawed (it would be decent for C or C++, but unfortunately Python's data model is nothing like the data model of those). I'm not just talking about implementation details, it clashes with language semantics. See [Drastically Improve Your Python: Understanding Python's Execution Model](http://www.jeffknupp.com/blog/2013/02/14/drastically-improve-your-python-understanding-pythons-execution-model/) for a primer. –  Apr 09 '13 at 15:00
  • 1
    Note that if your attacker has already cracked open the Python process to the point that they can manipulate variables, then **all bets are off**. Python's dynamic nature makes it *trivial* to replace code, let alone values. There is **no point** in worrying about the immutability of a Python string by that point. – Martijn Pieters Apr 09 '13 at 15:03
  • @MartijnPieters So overwriting the password is not a option since it wount do much good then.. Assuming that they don't crack the Python process (because this is more of a hand-over issue between two subsystems (Say a bootloader for raspberry pi and the OS) i'm more interested in how the memory is treated and not the fact that i'm worried, because i already am :) But i get your point. – Torxed Apr 09 '13 at 15:23
  • @delnan Thank you, that's a great link! Cheers. – Torxed Apr 09 '13 at 15:26
  • 1
    There is not a Python equivalent of .NET's `SecureString`. See http://stackoverflow.com/questions/728164/. It's generally of pretty marginal importance for security, though, at the best of times. – bobince Apr 10 '13 at 16:52

2 Answers2

2

Unless you use custom coded input methods to get the password, it will be in many more places then just your immutable string. So don't worry too much.

The OS should take care that any data from your process is cleared before the memory is allocated to another process. This may of course fail if the page is copied to disk (swapped out or hibernated).

Secure password entry is not easy. Maybe you can find a special library or module that handles this.

Ber
  • 40,356
  • 16
  • 72
  • 88
  • I'm thinking about a C implementation to handle the specific string that i need to work with, so i'd might end up there because the evidence speaks for itself that Python is great and i'm lazy, but it's not secure enough in that sense (and it wasn't designed to be either which i knew). How about `getpass`, is that just a fasade for the users comfort zone, that it replaces the password with `****` but actually it's just a `raw_input` with makeup? and further more, if not, does it replace the data area after you've done a read from it automaticly? – Torxed Apr 09 '13 at 15:28
0

I finally whent with two solutions. ld_preload to replace the functionality of the string handling of Python on a lower level. One other option which is a bit easier was to develop my own C library that has more functionality then what Python offers through the standard string handling.

Mainly the C code has a shread() function that writes over the memory area where the string "was" stored and some other error checks.

However, @Ber gave me a good enough answer to start developing my own solution since (as he pointed out) there is no secure method in Python and python stores strings in way to many places and relies on the OS (which, on it's own isn't a bad thing except when you don't trust the OS you are installing your realtively secure application on).

Torxed
  • 22,866
  • 14
  • 82
  • 131