Re: secret strings

[Ted Zlatanov <tzz@lifelogs.com>]

On Fri, 01 Apr 2011 14:52:05 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote: 

SJT> Ted Zlatanov writes:
SJT> In the end it's up to the application to manage these secrets.
>> 
>> I strongly disagree that the consumer should have to wipe secrets when
>> done with them.  That simply shifts the burden of managing secrets
>> without easing it.

SJT> (defmacro with-secret-strings (variable-list &rest body)
SJT>   `(unwind-protect (progn ,@body)
SJT>      (mapc #'wipe-secret-string ,variable-list)))

SJT> Was that so hard?

I don't think that's the same thing.  We want to pass the
producer-generated data around and wipe it when the garbage collection
deallocates the memory.  But maybe I misunderstand something.

>> Hiding secrets from backtraces and printing is another matter.  That we
>> can do with `lexical-let' or the approach Stefan showed so I think it's
>> a solved problem.  I've changed the subject to reflect we're discussing
>> "secret strings" now, though the name is not very good.

SJT> Well, I don't care about the name, but I don't see a use case where
SJT> the users are really protected.

It's a *convenience* so the consumer doesn't have to wipe the secret
strings explicitly.  I'm not proposing a security model; the user
protection is only that there's a smaller chance an attacker would see
the secret strings in a memory image of the Emacs process.  If the
secret strings are stored in an encrypted or obfuscated way, the chance
becomes even smaller.

The alternative way to do the above would be at the Lisp level.  I think
that would be slower, less convenient (requiring timers or manual wipe
calls), and the chance of exposure would be greater.  But it's certainly
possible.  It's how password-cache.el does it.

Ted