2014-03-22 23:03:15 +00:00
|
|
|
Known security limitations
|
|
|
|
|
--------------------------
|
|
|
|
|
|
2019-06-16 03:26:31 +00:00
|
|
|
Secure memory wiping
|
|
|
|
|
====================
|
2014-03-22 23:03:15 +00:00
|
|
|
|
|
|
|
|
`Memory wiping`_ is used to protect secret data or key material from attackers
|
2019-06-16 03:26:31 +00:00
|
|
|
with access to deallocated memory. This is a defense-in-depth measure against
|
|
|
|
|
vulnerabilities that leak application memory.
|
2014-03-22 23:03:15 +00:00
|
|
|
|
2019-06-16 03:26:31 +00:00
|
|
|
Many ``cryptography`` APIs which accept ``bytes`` also accept types which
|
|
|
|
|
implement the buffer interface. Thus, users wishing to do so can pass
|
|
|
|
|
``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite
|
|
|
|
|
the contents once the data is no longer needed.
|
|
|
|
|
|
|
|
|
|
However, ``cryptography`` does not clear memory by default, as there is no way
|
|
|
|
|
to clear immutable structures such as ``bytes``. As a result, ``cryptography``,
|
|
|
|
|
like almost all software in Python is potentially vulnerable to this attack. The
|
2014-06-26 01:09:28 +00:00
|
|
|
`CERT secure coding guidelines`_ assesses this issue as "Severity: medium,
|
2014-06-26 02:52:03 +00:00
|
|
|
Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
|
|
|
|
|
consider this a high risk for most users.
|
2014-03-22 23:03:15 +00:00
|
|
|
|
2019-04-16 12:13:49 +00:00
|
|
|
.. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223
|
2015-03-03 23:29:55 +00:00
|
|
|
.. _`CERT secure coding guidelines`: https://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
|
