Re: GC and security

Paul Rubin wrote:

You can't rely on anything like that, either on the Python GC side or
from the OS (which might have long since written the passphrase out to
the swap disk) without special arrangement.

we offered to disable swap for this app (its not memory intensive) but
this level of precaution was beyond what is currently desired. i
recently learned that Windows can be asked to zero the swap file during
shutdown, though i know there are ways around this one pass write.

Some OS's have system
calls to lock user pages in memory and prevent swapping, and GPG tries
to use them. "Best practice" if you're doing a high security app
involves using special hardware modules to wrap the keys.

understood, i meant best practice in terms of the less rigorous garbage
collection. if the collect() function hastens garbage collection for
unreferenced strings like a passphrase, it costs us nothing and buys us
a wee bit.

The
relevant standard is FIPS 140-2, with FIPS-140-3 in preparation:

http://csrc.nist.gov/cryptval/140-2.htm
http://csrc.nist.gov/cryptval/140-3.htm

thanks for these. we may be called upon to up the security level at some
point.


For most purposes (e.g. some random web service), this stuff is
overkill, though.

we're more sensitive than a web service, but not at the level of
hardware protection. it is health data related, and for the moment we
exceed the OMB's latest on laptop security:

http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

i don't see a mention of swap files on there, but maybe i missed it. and
the OMB doc exceeds the security level required by the client app.

les schaffer
.