0

I'll start with my goal. I have a program, which establishes connection to some servers, database, etc. During the initialization it receives appropriate credentials and establishes the connections. The credentials get passed in some configuration format (lets say json). This is only used at the initialization, and plaintext credentials are then thrown away and do not need to be used ever again.

Now as to my question, how do i enforce cleaning up memory that contained these plaintext credentials? This includes zeroing the memory, and removing all references. Simple deletion of variable won't be enough, if another reference in the code survives. Is there a method that is "idiot-proof"? Meaning, even if some references survived, they will point to cleaned up data.

The program in question runs on Python 3.8 and can the solution can assume CPython.

Adeom
  • 238
  • 1
  • 9
  • 4
    The premise of the question is not clear to me. If a malicious user has access to the system's memory after the object initialization, what will stop them from accessing the system's memory during initialization? Or remove the code that deletes the data from memory? There is very little you can do if a malicious user has physical access to the system and any system with physical access is considered as compromised. – DeepSpace Dec 30 '19 at 13:13
  • 1
    maybe [this is the answer](https://stackoverflow.com/questions/3013304/how-to-delete-every-reference-of-an-object-in-python) to your question? – oo00oo00oo00 Dec 30 '19 at 13:15
  • Memory cleanup is due to possible access through reallocation, though i guess python already zeroes data before free. The second one is less hardware, and more to ensure that even if bug exists that can leak the info, it will only leak zeroed out data. – Adeom Dec 30 '19 at 13:16
  • 1
    You would need to access the physical memory to wipe it... And, as far as I know, it is not possible on Python (I think it is on CPython). Could it be enough to overwrite them with some "junk" data before deleting them? – Kalma Dec 30 '19 at 13:16
  • CPython is what i use in this case. Ill edit the question to specify CPython is used. And yes, overwritting the data would help as well. But i need to ensure that the actual memory gets overwritten, and its not just address reference being changed. – Adeom Dec 30 '19 at 13:18
  • Python does not give any guarantees on what it does with your memory. You would have to very well define what your platform is (Python implementation) and what capabilities a hypothetical attacker has. – MisterMiyagi Dec 30 '19 at 13:19
  • 1
    Answering only this part: `Simple deletion of variable won't be enough, if another reference in the code survives.` - use a function to download the init data to local variables, return the result object(s) with connections. Local variables will be then deleted, only other reference that might survive is if the connection object(s) store the credentials, but that's another problem. – h4z3 Dec 30 '19 at 13:19
  • 1
    How much control do you have over the software that is asking for credentials? If you designed those too, perhaps you could refactor them so that a malicious user can't gain access with just a username and password. Something involving multi-factor authentication and/or time-limited auth tokens, for example. – Kevin Dec 30 '19 at 13:22
  • Multifactor may be an issue. To be more specific, the program in question acts as a worker. The workers form a network, process requests, interact with servers and the network. Hence the starting of a worker should be automatable. I want to avoid multifactor since there may be need to automate spawning workers by simply forwarding the machine a config and a command to spawn a worker. Edit: As for control, i only control the workers. database is MSSQL, some of the services i use are out of controll and dont support multifactor as far as i know. – Adeom Dec 30 '19 at 13:26

0 Answers0