Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgit2 credentials objects are dangerous #23232

Open
Keno opened this issue Aug 12, 2017 · 8 comments
Open

libgit2 credentials objects are dangerous #23232

Keno opened this issue Aug 12, 2017 · 8 comments
Labels
libgit2 The libgit2 library or the LibGit2 stdlib module

Comments

@Keno
Copy link
Member

Keno commented Aug 12, 2017

When they finalize themselves, they zero their contents. In particular, they also zero the underlying memory of any string they contains, so for example, in the following:

function authenticate(pass)
    UserPasswordCredentials("anonymous", pass)
end

after the first such object is finalized, that literal gets zero'd and subsequent calls to the same function are constructed with a zero string. I suggest that instead, we pass Vector{UInt8}s to these objects, which are semantically mutable and people won't be as surprised to see them zerod.
@Keno Keno added the libgit2 The libgit2 library or the LibGit2 stdlib module label Aug 12, 2017
Keno added a commit to JuliaComputing/FemtoCleaner.jl that referenced this issue Aug 12, 2017
@Keno
Work around various bugs
cdbc84f 
See JuliaLang/julia#23231 and JuliaLang/julia#23232

Also update Deprecations for a minor bug.
@simonbyrne
Copy link
Contributor

Perhaps a better approach would be to have a SecureString object, which is guaranteed to be zeroed when gc'ed?

@StefanKarpinski
Copy link
Member

StefanKarpinski commented Aug 14, 2017
edited
Loading

Yes, that seems like a good approach. It might have other safety properties, like not being so easily copied around or converted to a normal string, to avoid inadvertent copies leaking into memory.

@simonbyrne
Copy link
Contributor

simonbyrne commented Aug 14, 2017
edited
Loading

is there prior art for this in other languages? seems like something that should be fairly common

@stevengj
Copy link
Member

stevengj commented Aug 17, 2017
edited
Loading

See also the discussion in #17560, where a SensitiveData type was proposed.

One objection to SecureString is the same as it was there: in applications where a string contains sensitive data, you want it to be zeroed immediately after use rather than waiting for gc.

Another objection is that it's not clear to me what SecureString would provide to the user over a byte array. It would be dangerous to print it (which might leave it somewhere else in memory) and you wouldn't want to construct it with SecureString("foo") or really do any string-like operations on it at all.

My preference would be to just change getpass and similar usages of password strings to Vector{UInt8}, and continue to call Base.securezero! immediately when we are done with the password.

@stevengj
Copy link
Member

Another perspective is that the problem @Keno identified may be a feature, not a bug: you shouldn't be putting sensitive password/credential data into program string literals, should you?

@Keno
Copy link
Member Author

Keno commented Aug 17, 2017

The username may or may not be a sensitive credential. In any case zeroing out semantically immutable memory is a bad idea.

@stevengj
Copy link
Member

In any case, changing it to Vector{UInt8} seems reasonable to me.

@omus omus mentioned this issue Nov 23, 2017
Merged
@omus
Copy link
Member

omus commented Nov 24, 2017

I created a PR which implements SecureString. At the moment it still zeros out immutable memory.

@Keno Keno mentioned this issue May 15, 2018
Closed
@ararslan ararslan mentioned this issue May 18, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libgit2 The libgit2 library or the LibGit2 stdlib module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@StefanKarpinski @Keno @omus @simonbyrne @stevengj