From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: secret strings Date: Fri, 01 Apr 2011 06:02:43 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87aagansj0.fsf@lifelogs.com> References: <4D926EA9.5080509@gmail.com> <4D92AD2B.40502@gmail.com> <87lizwd9lt.fsf_-_@lifelogs.com> <87ei5n8ffi.fsf@lifelogs.com> <87hbaivju2.fsf@uwakimon.sk.tsukuba.ac.jp> <87ei5moa61.fsf_-_@lifelogs.com> <87hbaia58a.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1301655793 5230 80.91.229.12 (1 Apr 2011 11:03:13 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 1 Apr 2011 11:03:13 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Apr 01 13:03:10 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Q5c8D-0005ld-RE for ged-emacs-devel@m.gmane.org; Fri, 01 Apr 2011 13:03:10 +0200 Original-Received: from localhost ([127.0.0.1]:33669 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q5c8D-00076q-3L for ged-emacs-devel@m.gmane.org; Fri, 01 Apr 2011 07:03:09 -0400 Original-Received: from [140.186.70.92] (port=36509 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q5c83-000753-Nc for emacs-devel@gnu.org; Fri, 01 Apr 2011 07:03:00 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q5c82-00041f-H5 for emacs-devel@gnu.org; Fri, 01 Apr 2011 07:02:59 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:36716) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q5c82-000416-4i for emacs-devel@gnu.org; Fri, 01 Apr 2011 07:02:58 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q5c7z-0005eB-Pq for emacs-devel@gnu.org; Fri, 01 Apr 2011 13:02:55 +0200 Original-Received: from c-67-186-102-106.hsd1.il.comcast.net ([67.186.102.106]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 01 Apr 2011 13:02:55 +0200 Original-Received: from tzz by c-67-186-102-106.hsd1.il.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 01 Apr 2011 13:02:55 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 40 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-67-186-102-106.hsd1.il.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:8wNr2hW1+V6QxR8/xk/QsxeLgV0= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137988 Archived-At: On Fri, 01 Apr 2011 14:52:05 +0900 "Stephen J. Turnbull" wrote: SJT> Ted Zlatanov writes: SJT> In the end it's up to the application to manage these secrets. >> >> I strongly disagree that the consumer should have to wipe secrets when >> done with them. That simply shifts the burden of managing secrets >> without easing it. SJT> (defmacro with-secret-strings (variable-list &rest body) SJT> `(unwind-protect (progn ,@body) SJT> (mapc #'wipe-secret-string ,variable-list))) SJT> Was that so hard? I don't think that's the same thing. We want to pass the producer-generated data around and wipe it when the garbage collection deallocates the memory. But maybe I misunderstand something. >> Hiding secrets from backtraces and printing is another matter. That we >> can do with `lexical-let' or the approach Stefan showed so I think it's >> a solved problem. I've changed the subject to reflect we're discussing >> "secret strings" now, though the name is not very good. SJT> Well, I don't care about the name, but I don't see a use case where SJT> the users are really protected. It's a *convenience* so the consumer doesn't have to wipe the secret strings explicitly. I'm not proposing a security model; the user protection is only that there's a smaller chance an attacker would see the secret strings in a memory image of the Emacs process. If the secret strings are stored in an encrypted or obfuscated way, the chance becomes even smaller. The alternative way to do the above would be at the Lisp level. I think that would be slower, less convenient (requiring timers or manual wipe calls), and the chance of exposure would be greater. But it's certainly possible. It's how password-cache.el does it. Ted