Clear the password from memory
-
Hi
I use QString to store a password used during authentication in TCP connection. I need to clear the password from memory as soon as the connection is established.
After the execution of code below I can still locate "somestring" in the memory.
@QString SecureString = "somestring";
for (int i=0; i<SecureString.size(); ++i)
SecureString[i]=QChar('0');@Any Qt way of "SecureZeroMemory":http://msdn.microsoft.com/en-us/library/aa366877.aspx ?
-
[quote author="p-himik" date="1332754910"]Instead of the loop you can use just QString::clear();
You've written "somestring" string direct in your code. Of course it will be in the memory.[/quote]I wrote a bad example sorry, I actually create SecureString on the fly by decrypting an encrypted password. In this case as well the string still remains in memory after zeroing or calling QString:clear().
-
I think you will need to replace it with a string of the same length. clear() will most likely just update the information on what is in the buffer, not the buffer itself.
Using a longer string might cause a new buffer to become allocated, the old buffer getting copied over into the new one and then replaced, leaving the password in the old, now unused buffer.
PS: I have not tried this;-)
-
I have not checked the implementation, but I doubt it. It will most likely just update the meta-information on the string. Actually overwrite the memory that used to hold the string is costly. It usually is unnecessary, too, since the memory gets freshly initialized anyway once it gets reused.
The source code of Qt is available, so just go and check.
-
I was wrong in my tests, I really apologize. I used "normal" echoMode for QLineEdit to get the password, well I though just for test. When QLineEdit text is masked then I cannot find the variable in memory at all even if QLineEdit object still exists. Qt somehow handles this internally.
So I ended up using SecureString.fill('0') when the variable is no longer needed and QLineEdit with "password" echoMode. Using SecureString.clear() erases the memory values as well but I didn't run much tests on this so I will stick with fill() after reading Tobias's comments.
-
I messed up again with the memory debug. QLineEdit with "password" echoMode is still not safe, when you call QLineEdit::clear() or QLineEdit::setText() the variable value will be kept in memory. There is no method to access the internal text variable in order to zero it before object destruction. So the only solution at the moment is to catch key pressed events and encrypt the password on the fly in a variable that you can control. I just put arbitrary char into the input box on key event so user will get same interface.
-
How about using "setText" to overwrite the line edit contents?
Some other things for you to consider:
The password can end up on hard drive in low memory situations (when the page with the information gets swapped out to disk). You will need to make sure that the page containing the password will not get swapped out to disk. Using encrypted swap also helps (IIRC ubuntu actually does that by default).
Anybody that can inject code into the binary (e.g. using plugins to your application, Qt or any other library you use, LD_PRELOAD, etc.) can grab the password right out of the memory before you delete it. Debugging tools like "Gammaray":http://www.kdab.com/kdab-products/gammaray/ demonstrate nicely what a determined attacker can extract right out of the UI itself.
Ah, security is so much fun;-)
-
[quote author="Tobias Hunger" date="1332773270"]How about using "setText" to overwrite the line edit contents?[/quote] I tried that and even with same size of string but still the password is left in memory.
[quote author="Tobias Hunger" date="1332773270"]
The password can end up on hard drive in low memory situations (when the page with the information gets swapped out to disk). You will need to make sure that the page containing the password will not get swapped out to disk. Using encrypted swap also helps (IIRC ubuntu actually does that by default).[/quote]I'm using Botan:secureVector to lock the memory but memory locking mechanism on Windows doesn't guarantee that the locked memory will not be swapped. As I researched Windows will only try to keep locked memory as long as possible until there is a hard memory pressure. I couldn't find portable solution so far. Zeroing the string can at least reduce the risk of password ending up to disk.
[quote author="Tobias Hunger" date="1332773270"]
Anybody that can inject code into the binary (e.g. using plugins to your application, Qt or any other library you use, LD_PRELOAD, etc.) can grab the password right out of the memory before you delete it. Debugging tools like "Gammaray":http://www.kdab.com/kdab-products/gammaray/ demonstrate nicely what a determined attacker can extract right out of the UI itself.[/quote]Issues with code injections should probably be handled by the anti-virus program. If the password is not stored on disk, the debugging can help the attacker only if he has access to the memory while the application (the one that has the password) is running.