1

I was reading this question on storing passwords using a char[] in Java and realized that there are languages that don't have character arrays. Dart and Python both use lists of objects instead of arrays (Dart documentation and Python example tutorial). As far as I understand, this would mean you cannot overwrite the memory and thus would leave the application open to a memory dump attack.

Is there a way to overwrite the memory and thus avoid this attack possibility in Dart or Python?

TarHalda
  • 1,050
  • 1
  • 9
  • 27
  • 1
    Open ended and opinion based questions that boil down to subjective responses are generally not a good fit for this site, since there generally is not a single correct answer but a range of opinions based on different approaches. – itprorh66 Oct 07 '22 at 14:08
  • @itprorh66 I edited it to make it more clear that I'm asking if there is a way to overwrite the memory, not whether or not this is something I should be concerned about doing (so a "how to do this" question, which should be answerable from an objective point of view). – TarHalda Oct 07 '22 at 14:15

1 Answers1

1

Re: Python:

strings and bytes objects are immutable in Python, so yes, changing their contents will create a new object while the old one will remain in memory for some times, before eventually being garbage-collected and sooner or later overwritten by newly created objects.

OTOH you may use bytearrays, which are mutable - the obvious downside is that you will be limited to 8-bit characters.

Note: lists are mutable too, but a list of one-char strings will have (a mitigated version of) the same issue: there will be no "old" list left, but the various items will remain until garbage-collected

gimix
  • 3,431
  • 2
  • 5
  • 21
  • 1
    Even byte arrays may (at least in Dart, don't know Python) be moved by garbage collection, which can leave copies in memory until that memory is reallocated. In Dart, I'd use `dart:ffi` to allocate memory *outside* of the garbage collected heap, in order to ensure that you only need to clear *one* location. That only works on the native VM. On the web, you are limited to what JavaScript allows. (On the other hand, overwriting a `List` in Dart will clear that copy of the data, even if the integers look like objects. Small integers are not really objects, and are ubiquitous anyway.) – lrn Oct 07 '22 at 16:12