1

Here my situation, the users of my application are asked to enter their password to start it. To get the password I simply use:

char c;  
std::string password;
while ...  // until the end of entry
{
    c = fgetc(stdin);
    password += c;
}

Once the password is checked I destroy the variable so it can't be retrieved using a core image of my program. For instance if someone use "gcore" command and then search for the password in the core generated it will not find it.

But in my case, I can still retrieve the password value because it seems that it is still in stdin buffer.

So my question is how can I clear stdin buffer in order to make the values typed by user not available in memory anymore ?

For information I already tried: fflush, __fpurge, fwrite (from the beginning position of stdin stream)... and nothing seems to work.

Thank you in advance.

Jiminion
  • 5,080
  • 1
  • 31
  • 54
Ant
  • 85
  • 1
  • 6
  • don't try `fflush(stdin)`, probably it would be undefined behaviour. First use `int c` not `char`. – Grijesh Chauhan Jul 30 '13 at 18:24
  • Is complete password present in `stdin` **?** I think no. – Grijesh Chauhan Jul 30 '13 at 18:26
  • 2
    The short answer is that enough of this is outside your control that you probably can't guarantee it, at least in portable code. To even get close, you'll probably have to specify (at least) the compiler, library and OS you care about. – Jerry Coffin Jul 30 '13 at 18:26
  • If this matters to you, you probably shouldn't be storing the password in a `std::string` (where you don't have direct control over whether its internal buffer is copied or whether its memory is zeroed before it's freed). – jamesdlin Jul 30 '13 at 18:29
  • Honestly if you don't trust your address space to be safe you're boned no matter what. Because even if you clear the buffers it might still be in a kernel buffer. – Spudd86 Jul 30 '13 at 20:11

4 Answers4

3

My answer is: don't use stand I/O streams - use raw file I/O instead:

read(STDIN_FILENO, ...)

You'll have to do your own line buffering but you can guarantee that nothing in the libraries is keeping a buffer of your input.

DoxyLover
  • 3,366
  • 1
  • 15
  • 19
1

Have you checked this? How do I flush the cin buffer?

Try:

cin.clear();
Community
  • 1
  • 1
Keven Wang
  • 1,208
  • 17
  • 28
0

Since you're using C++ why not just go with the std::string class and use cin>>password directly. this will eliminate the need for a separate variable to hold each character as it's typed. If, after that, you're still worried about the contents of stdin being available just use:

fseek(stdin,0,SEEK_END);

at the end of the read. In my opinion this is much easier to use than coding the old (and in my opinion, less secure) C methods and allows you to use the C++ libraries better.

General rule of thumb when coding C++: Don't use C unless you absolutely have to.

Joel Trauger
  • 720
  • 1
  • 4
  • 24
  • `stdin`, when it is connected to a console or pipe, is not seekable. So it's unlikely that this will actually help much. – Mats Petersson Jul 30 '13 at 19:31
  • @MatsPetersson That is true, because using the C++ classes changes the way input and output is done. Instead of `scanf("%s", password);` you're now able to simply use `cin>>password;` which is cleaner and flushes the buffers adequately. The only real reason to flush the input buffer is when using `getline(password);` since it uses `'\n'` as its delim character and that is generally left in the buffer by most input functions. – Joel Trauger Jul 30 '13 at 19:45
  • There is absolutely no guarantee that the password as content of the buffer is not still there, tho' (or in some other buffer at some layer or another in the system). Of course, finding that will be quite tricky unless you happen to know either what the password is (in which case it's pretty useless) or know where those buffers are located. – Mats Petersson Jul 30 '13 at 19:51
  • @MatsPetersson Well, since we're talking about monitoring buffer contents now, I suppose it's a little too late to mention that any skilled hacker could just keylog the console and then it wouldn't matter how secure your program was or how well it kept its memory hidden from other programs since the keylogger would have the password right there! – Joel Trauger Jul 30 '13 at 20:04
0

I'm completely ignorant of C++, but what I'd do in C is either what DoxyLover suggested or, if you want to stick to using the standard library... use it without buffering, googling "c++ cin unbuffered" does give a few results after all

loreb
  • 1,327
  • 1
  • 7
  • 6