Talk:Protecting Memory Secrets: Difference between revisions

← Older edit

Talk:Protecting Memory Secrets (view source)

Revision as of 15:05, 17 January 2023

6,641 bytes added , 1 year ago

m

→‎pithier, maybe: nice

EnigmaticC

8

edits

Revision as of 02:19, 15 January 2023 (view source) EnigmaticC (talk \| contribs) m (→‎Disagree, Task is valid: another couple of points) ← Older edit		Latest revision as of 15:05, 17 January 2023 (view source) EnigmaticC (talk \| contribs) m (→‎pithier, maybe: nice)
(5 intermediate revisions by 3 users not shown)
Line 56: === Disagree, Task is valid === * I'll agree this is not an ideal task. Having said that real life doesn't deal out ideal situations very often. There are ~~development~~ security standards for development that make this a requirement. Whether you or I or anyone else agrees with the approach is mute. Whether or not there is a better way is also mute. * As for several ways to complete the task, I could easily create 3, 4, or 8 separate tasks for this. I don't think that really helps anyone. * Mixing in plausible garbage is just one approach. Line 65: [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 01:44, 15 January 2023 (UTC) :Valid as a useful concept for some contexts, definitely. But is it valid as a rosettacode task? If so, how? :Also, some questions: ::First, what is a secret? Is it a bit pattern or is it the information represented by that bit pattern? (A bit pattern is much easier to deal with, in a concrete sense, than an abstraction is.) ::: Several examples of secrets are given in the description. For the example any set of characters or numbers will do. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) ::Second, what does it mean to erase a secret? Specifically: how much responsibility must the software author have over the underlying hardware and operating system? (For example: if the operating system has swap enabled, or preserves memory images in some other fashion, is that an issue for the language or is that out of scope for this task?) :::: I explained the language of the standard and further elaborated the intent was to minimize the time a secret is vulnerable to memory skimming. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) ::Third is there some meaningful "minimum size" for consideration here? Short bit patterns can happen coincidentally so are probably not relevant, correct? :::: This is getting pedantic. The size of the secret is not relevant to the task as defined. Only the capability is. If you like call it a credit card. There are several well known 16 digit test cards 4111....1111, 42...42, 54..54, but it could be anything and at least one of the contributors made up their own. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) :Philosophically speaking, all secret knowledge is temporary -- either all holders of the secret expire, losing the knowledge, or the information is eventually propagated or re-discovered rendering it non-secret. Here, we're aiming for partial expiration -- partial because of limitations of software scope. But we still need to define that scope. :::: Philosophy? Really! There is a defined objective. If you disagree with the philosophy behind the standard either challenge it or avoid it. That doesn't make this an invalid task. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) :Anyways... it seems to me that adequately addressing this task takes us deep into rosettacode's "[[Rosetta_Code:Add_a_Task#Things_to_avoid\|things to avoid]]" territory. --[[User:Rdm\|Rdm]] ([[User talk:Rdm\|talk]]) 05:28, 15 January 2023 (UTC) :: Really which ones? I am not asking for a specific language feature. I am asking people who use various languages to provide guidance on how they would meet the intent of a requirement. I'm not even asking for an exceedingly rare feature. I'm not looking for an extremely small solution - I've gone out of my way to be flexible and solicit the input of folks that know their languages. And I have not asked for the fastest possible solution. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) :::I would agree and say I cannot see any overlap at all between this task and "things to avoid". I did in fact have a genuine use case for this sort of thing five years or so ago, when I was collaborating with someone 5,000 miles away and it was pretty obvious we did not want to be accidentally emailing our credentials between each other along with the debug info we did need to frequently share. --[[User:Petelomax\|Petelomax]] ([[User talk:Petelomax\|talk]]) 10:06, 17 January 2023 (UTC) : I will reiterate, I made this a draft task for the reason that it isn't as well defined and may change or evolve. I expect this will be evolution toward more clarity as solutions appear. Folks responding to draft tasks know that. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) : I get that for whatever reason, this task seems to offend your notion of RosettaCodeness, but your arguments aren't convincing. Just because it isn't a neat and tidy little algorithm doesn't invalidate it. Please feel free to '''ignore''' this task if you don't like it. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 23:32, 15 January 2023 (UTC) === pithier, maybe === I had a quick go at writing a rather pithier task description, which I think it covers it, more for discussion and refinement than for wholesale adoption, and I promise not be be even slightly offended if this is completely rejected. One term that I quite like but missed is "skimming memory". There are many forms of sensitive data, such as login credentials/passwords and credit card details. An entirely separate matter, outside the scope of this task, is how you might permanently store such on disk. At some point however, a program must read in and possibly decrypt such information for use: what steps might you take to minimise the possibility of another program reading process memory, or scanning error files, core dumps, and log files from discovering such sensitive information? One obvious step is to keep such information in memory for the shortest possible time and ensure it is overwritten with garbage/binary zeroes as soon as possible. Some programming language features, including but not limited to object orientation, data hiding, and closures, may make it rather difficult to be certain that raw binary copies of the data are not left in memory for much longer than desired. For instance, a call such as <code>validate(string password)</code> might well leave string password earmarked for garbage collection but otherwise out in plain sight and unencrypted. It may be sensible to only ever store sensitive information in explicitly programmer managed memory. Discuss any other means available to ensure that you can and have securely wiped all last traces of any such asap after use. --[[User:Petelomax\|Petelomax]] ([[User talk:Petelomax\|talk]]) 10:06, 17 January 2023 (UTC) : I'll strongly consider this. I think it would help to make clear the out of scope things like secrets at rest, memory/debugging dumps, etc. and note these are addressed in other parts of the standards. Cleary saying what's out will help folks avoid going down the secret lifecylcle rabbit hole. It may also help to provide quotes for the specific requirements. I probably won't get to an update for several days. [[User:EnigmaticC\|EnigmaticC]] ([[User talk:EnigmaticC\|talk]]) 15:04, 17 January 2023 (UTC)