GC and security
Les Schaffer
schaffer at optonline.net
Wed Aug 30 20:54:46 EDT 2006
Paul Rubin wrote:
> You can't rely on anything like that, either on the Python GC side or
> from the OS (which might have long since written the passphrase out to
> the swap disk) without special arrangement.
we offered to disable swap for this app (its not memory intensive) but
this level of precaution was beyond what is currently desired. i
recently learned that Windows can be asked to zero the swap file during
shutdown, though i know there are ways around this one pass write.
> Some OS's have system
> calls to lock user pages in memory and prevent swapping, and GPG tries
> to use them. "Best practice" if you're doing a high security app
> involves using special hardware modules to wrap the keys.
understood, i meant best practice in terms of the less rigorous garbage
collection. if the collect() function hastens garbage collection for
unreferenced strings like a passphrase, it costs us nothing and buys us
a wee bit.
> The
> relevant standard is FIPS 140-2, with FIPS-140-3 in preparation:
>
> http://csrc.nist.gov/cryptval/140-2.htm
> http://csrc.nist.gov/cryptval/140-3.htm
thanks for these. we may be called upon to up the security level at some
point.
>
> For most purposes (e.g. some random web service), this stuff is
> overkill, though.
we're more sensitive than a web service, but not at the level of
hardware protection. it is health data related, and for the moment we
exceed the OMB's latest on laptop security:
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
i don't see a mention of swap files on there, but maybe i missed it. and
the OMB doc exceeds the security level required by the client app.
les schaffer
More information about the Python-list
mailing list