| ▲ | voodooEntity 14 hours ago |
| Ok, i kinda get the idea, and with some modification it might be quite handy - but i wonder why its deemed like an "unsolvable" issue right now. It may sound naive, but packages which include data like said session related or any other that should not persist (until the next Global GC) - why don't you just scramble their value before ending your current action? And dont get me wrong - yes that implies extra computation yada yada - but until a a solution is practical and builtin - i'd just recommend to scramble such variables with new data so no matter how long it will persist, a dump would just return your "random" scramble and nothing actually relevant. |
|
| ▲ | raggi 10 hours ago | parent | next [-] |
| It is fundamentally not possible to be in complete control of where the data you are working with is stored in go. The compiler is free to put things on the heap or on the stack however it wants. Relatedly it may make whatever copies it likes in between actions defined in the memory model which could leak arbitrary temporaries. |
| |
| ▲ | to11mtm 10 hours ago | parent [-] | | Yeah, .NET tried to provide a specific type related to this concept (SecureString) in the past and AFAIK there were were two main problems that have caused it to fall into disuse; First one being, it was -very- tricky to use properly for most cases, APIs to the outside world typically would give a byte[] or string or char[] and then you fall into the problem space you mention. That is, if you used a byte[] or char[] array, and GC does a relocation of the data, it may still be present in the old spot. (Worth noting, the type itself doesn't do that, whatever you pass in gets copied to a non-gc buffer.) The second issue is that there's not a unified unix memory protection system like in windows; The windows implementation is able to use Crypt32 such that only the current process can read the memory it used for the buffeer. | | |
|
|
| ▲ | willahmad 13 hours ago | parent | prev | next [-] |
| without language level support, it makes code look like a mess. Imagine, 3 level nesting calls where each calls another 3 methods, we are talking about 28 functions each with couple of variables, of course you can still clean them up, but imagine how clean code will look if you don't have to. Just like garbage collection, you can free up memory yourself, but someone forgot something and we have either memory leak or security issues. |
| |
| ▲ | HendrikHensen 13 hours ago | parent | next [-] | | With good helpers, it could become something as simple as key := make([]byte, 32)
defer scramble(&key)
// do all the secret stuff
Unless I don't understand the problem correctly. | | |
| ▲ | kbolino 12 hours ago | parent | next [-] | | There are two main reasons why this approach isn't sufficient at a technical level, which are brought up by comments on the original proposal: https://github.com/golang/go/issues/21865 1) You are almost certainly going to be passing that key material to some other functions, and those functions may allocate and copy your data around; while core crypto operations could probably be identified and given special protection in their own right, this still creates a hole for "helper" functions that sit in the middle 2) The compiler can always keep some data in registers, and most Go code can be interrupted at any time, with the registers of the running goroutine copied to somewhere in memory temporarily; this is beyond your control and cannot be patched up after the fact by you even once control returns to your goroutine So, even with your approach, (2) is a pretty serious and fundamental issue, and (1) is a pretty serious but mostly ergonomic issue. The two APIs also illustrate a basic difference in posture: secret.Do wipes everything except what you intentionally preserve beyond its scope, while scramble wipes only what you think it is important to wipe. | | |
| ▲ | voodooEntity 10 hours ago | parent [-] | | Thanks, you brought up good points. While in my case i had a program in which i created an instance of such a secret , "used it" and than scrambled the variable it never left so it worked. Tho i didn't think of (2) which is especially problematic. Prolly still would scramble on places its viable to implement, trying to reduce the surface even if i cannot fully remove it. |
| |
| ▲ | nemothekid 5 hours ago | parent | prev | next [-] | | As I understand it, this is too brittle. I think this is trivially defeated if someone adds an append to your code: func do_another_important_thing(key []byte) []byte {
newKey := append(key, 0x0, 0x1) // this might make a copy!
return newKey
}
key := make([]byte, 32)
defer scramble(&key)
do_another_important_thing(key)
// do all the secret stuff
Because of the copy that append might do, you now have 2 copies of the key in data, but you only scramble one. There are many functions that might make a copy of the data given that you don't manually manage memory in Go. And if you are writing an open source library that might have dozens of authors, it's better for the language to provide a guarantee, rather than hope that a developer that probably isn't born yet will remember not to call an "insecure" function. | |
| ▲ | voodooEntity 13 hours ago | parent | prev [-] | | Yep thats what i had in mind | | |
| ▲ | ok123456 11 hours ago | parent [-] | | This proposal is worse because all the valuable regions of code will be clearly annotated for static analysis, either explicitly via a library/function call, or heuristically using the same boilerplate or fences. | | |
| ▲ | voodooEntity 10 hours ago | parent [-] | | Makes sense basically creating an easy to point out pattern for static analysis to find everything security related. As another response pointed out, its also possible that said secret data is still in the register, which no matter what we do to the curr value could exist. Thanks for pointing it out! | | |
| ▲ | ok123456 10 hours ago | parent [-] | | > Makes sense basically creating an easy to point out pattern for static analysis to find everything security related. This is essentially already the case whenever you use encryption, because there are tell-tale signs you can detect (e.g., RSA S-Box). But this will make it even easier and also tip you off to critical sections that are sensitive yet don't involve encryption (e.g., secure strings). |
|
|
|
| |
| ▲ | compsciphd 13 hours ago | parent | prev [-] | | I could imagine code that did something like this for primatives secretStash := NewSecretStash()
pString := secretStash.NewString()
....
....
secretStash.Thrash()
yes, you now have to deal in pointers, but that's not too ugly, and everything is stored in secretStash so can iterate over all the types it supports and thrash them to make them unusable, even without the gc running. | | |
| ▲ | mbreese 11 hours ago | parent | next [-] | | I used to see this is bash scripts all the time. It’s somewhat gone out of favor (along with using long bash scripts). If you had to prompt a user for a password, you’d read it in, use it, then thrash the value. read -p “Password: “ PASSWD
# do something with $PASSWD
PASSWD=“XXXXXXXXXXXXXXXXXX”
It’s not pretty, but a similar concept. (I also don't know how helpful it actually is, but that's another question...) | |
| ▲ | voodooEntity 13 hours ago | parent | prev [-] | | Thats even better than what i had in mind but agree also a good way to just scrumble stuff unusable ++ | | |
| ▲ | compsciphd 10 hours ago | parent [-] | | I'm now wondering with a bit of unsafe, reflection and generics magic one could make it work with any struct as well (use reflection to instantiate a generic type and use unsafe to just overwrite the bytes) |
|
|
|
|
| ▲ | skywhopper 12 hours ago | parent | prev [-] |
| Hard to understand what you’re asking. This is the solution that will practical and built-in. This is a summary of a new feature coming to Go’s runtime in 1.26. |
