[ruby-core:43810] [ruby-trunk - Feature #5741] Secure Erasure of Passwords

< ^ > P N |<>| ^ _>< --- | ~ ...Help
Issue #5741 has been updated by MartinBosslet (Martin Bosslet).


mame (Yusuke Endoh) wrote:
> I think that adding a method to String requires matz's approval.
> If you propose to add a method to others, such as openssl, you
> can do it at your discretion.
> 

Sure - I would appreciate to have more opinions on how this can be
done best. I haven't really had the time to think it through yet,
but unfortunately I see two major obstacles for either approach.

1. I'm having doubts if this could be handled reliably within String
   itself due to copy on write behavior. So when we finally call
   something like String#clear, we would also need to clear any
   proliferated instances, too. I haven't analyzed it yet, maybe
   someone could tell me if that's possible at all? 

2. If we implement the feature separately (SecureByteBuffer), there
   is a serious chicken & egg problem: how can we feed the password
   to the implementation without using a String first? It's not as 
   easy as it may sound and it would require massive changes in 
   existing code - I fear this could be too invasive for anyone
   to adopt it...

Any thoughts?
----------------------------------------
Feature #5741: Secure Erasure of Passwords
https://bugs.ruby-lang.org/issues/5741#change-25316

Author: MartinBosslet (Martin Bosslet)
Status: Assigned
Priority: Normal
Assignee: matz (Yukihiro Matsumoto)
Category: 
Target version: 2.0.0


In other languages it is considered good practice to securely erase 
passwords immediately after they were used. Imagine authentication
in a web app - ultimately a String containing the password arrives
at the server, where it will be processed and compared to some 
previously stored value. After this is done, there is no need to
store these password Strings any longer, so they should be
discarded right away (more on why later).

In C, you would simply overwrite the array of bytes with zeroes or
random values. In Java, Strings are immutable, that's why there it
is common practice to use char[] for all things password and overwrite
them when done.

Currently, there is no way in Ruby to overwrite the memory that
was used by a String. String#clear and String#replace both use
str_discard internally, which only frees the underlying pointer 
without overwriting it.

The problem with not erasing passwords is this: the contents of the
String stay in memory until they are finally GC'ed. But even then
only the pointer will be freed, leaving the contents mostly intact
until the memory is reclaimed and overwritten later on.

This could be exploited if an attacker had access to the memory of
the server. This could happen in many ways: a core dump after a
crash, access to the host if the server runs in a VM, or even by
deep-freezing the DRAM :) [1]

It could be argued that given the examples above, much more 
devastating attacks would be possible since in all of those
cases you more or less have physical access to the machine. But
I would still consider this to be a valid concern, if not only
for the reason of never opening additional attack surfaces if
they can be avoided relatively easily.

I also found [2], which seems to show that Python deals with 
similar problems and it also contains more background info.

Eric Hodel and I discussed this yesterday and Eric came up with
a C extension that can be used to illustrate the problem (attached).

If you inspect the resulting core dump, you will find the following:

- the untouched String remains in memory fully intact
- the String#clear'ed String remains to a large extent, typically the
  first character is missing - so if you typed "PASSWORD", search for
  "ASSWORD" (unintentional pun) instead
- The String#clear_secure'ed will have been completely erased, no 
  traces remain

My questions:

1. Would you agree that we need this functionality?
2. Where would we ideally place it? I'm not sure whether
   String is the perfect place, but on the other hand, String
   is the only place where we have access to the implementation
   details.
3. Are there better alternative ways how we could achieve this?

[1] http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html
[2] http://stackoverflow.com/questions/728164/securely-erasing-password-in-memory-python


-- 
http://bugs.ruby-lang.org/