2

Given I'm operating on some sort of sensitive data, e.g. decrypted secret, and I wanna dispose it as soon as I don't need it anymore, is there an effective way of doing that in JS?

For example, would something like this

let secret = null;

secret = getSecretSomehow();
useSecretSomehow(secret);

secret = null; // clear secret

do the trick, i.e. would secret stop existing in memory at that moment, and it wouldn't be possible to get it if one dumps the device memory after that line was executed, or are there any JS runtime caveats which would render it ineffective?

To clarify and make the question more precise - assume we don't put that data to DOM or whatever, it only exists as a variable.

tristantzara
  • 5,597
  • 6
  • 26
  • 40
  • [Related question](https://security.stackexchange.com/questions/170032/is-there-a-way-to-make-the-browser-remove-the-login-password-from-its-memory-im) on the security stack exchange – Nino Filiu Jun 29 '19 at 18:46
  • Also related: [What are the security implications of storing passwords in Javascript variables?](https://stackoverflow.com/q/36530724/8186898) – Nino Filiu Jun 29 '19 at 18:59
  • Thanks, @NinoFiliu these are indeed useful, however, the first one goes into more DOM-related concerns, while the second one mentions that if one can dump the memory of the device, there probably are greater concerns and gets sidetracked to that topic. My question, however, tries to isolate from those concerns, what I'd love to learn here - if it's possible to recover it from the memory, also in case one can dump it, so it's focused on the language runtime and memory management and doesn't care about e.g. DOM-specific concerns. Wanted to emphasize it here, so my question is more understandable – tristantzara Jun 29 '19 at 19:05
  • You don't have any control over when a JS engine's garbage collector will run and each engine implements gc differently. Setting the variable to `null` doesn't necessarily mean it still doesn't exist in memory somewhere – skyline3000 Jun 29 '19 at 19:12
  • @skyline3000 but if I explicitly overwrite the var, doesn't that put the GC off the table? – tristantzara Jun 29 '19 at 19:13
  • 1
    If `getSecretSomehow()` returns a string, AFAIK there is nothing you can do to ensure it doesn't exist in memory anymore. If it returns a Buffer or other array-like type (E.G. Uint8Array) you can write over it. – Paul Jun 29 '19 at 19:13
  • @Paulpro could you please explain me why there's such a difference in a bit more detail? – tristantzara Jun 29 '19 at 19:14
  • 2
    @TristanTzara You're not overwriting the variable, you're re-assigning it. Things like Strings are immutable in JS - it will still exist in memory (somewhere) until the gc runs. – skyline3000 Jun 29 '19 at 19:15
  • 3
    @skyline3000 and likely for a while after the GC runs, since it just makes the memory available to be overwritten, but doesn't actually overwrite it. – Paul Jun 29 '19 at 19:17
  • 1
    @TristanTzara take a look to Typed Arrays, I don't know if the browser re-uses the memory of a typed array or not, but at least you have some extra control to fill the memory it uses: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/fill – Diego Jun 29 '19 at 19:33
  • @Paulpro, so if I get the secret as buffer, there is actually a way for me to wipe it? how? – tristantzara Jun 29 '19 at 19:37
  • 2
    Yes, you can overwrite the contents of the buffer with zeroes or random bytes. You need to make sure that the secret was never included in a string (I.E. wherever you read it from needs to read it directly into a buffer) and that the buffer is never copied (if it was you'd have to zero out every copy). – Paul Jun 29 '19 at 19:43
  • You can just use `secretBuffer.fill(0)` to overwrite it with zeroes – Paul Jun 29 '19 at 19:45
  • Does this answer your question? [How do you clear memory in Javascript?](https://stackoverflow.com/questions/7248122/how-do-you-clear-memory-in-javascript) – Josh Correia Mar 23 '21 at 18:52

1 Answers1

0

Delete is more semantic, however it depends on whether or not you want to keep the variable defined or remove it entirely.

window.x = "Test";
console.log(window.x);
// "Test"

delete window.x;
console.log(window.x);
// undefined

Using delete, x is no longer a property of the window object. Your example above nulls the variable. In the context of my example if you nulled the x property then the property would still exist on the window object. For security considerations, the comments seem most helpful.

I hope that is helpful!

Michael Paccione
  • 2,467
  • 6
  • 39
  • 74