Re: Data.ByteString.Unsafe.unsafeWipe

David's idea is pretty cool! wrt Erik's suggestion, I'd rather suggest instead something like what Vincent's secure memory does, which provides finalization support to a bytestring interface https://hackage.haskell.org/package/securemem-0.1.4/docs/src/Data-SecureMem.... -- | Allocate a foreign ptr which will be scrubed before memory free.-- the memory is allocated on the haskell heapallocateScrubedForeignPtr :: Int -> IO (ForeignPtr a)allocateScrubedForeignPtr sz = do#if MIN_VERSION_base(4,6,0) fptr@(ForeignPtr addr _) <- mallocForeignPtrBytes sz addForeignPtrConcFinalizer fptr (scruber (Ptr addr)) return fptr where !scruber = szToScruber sz#else mallocForeignPtrBytes sz#endif this code can totally be adapted to provide a scrubing finalizer to any foreign pointer of interest, and indeed, it could be done as a helper function for bytestrings a la addFinalizer :: ByteString -> IO () -> IO () or something On Sun, Jan 11, 2015 at 10:48 PM, David Feuer wrote:

-1. Breaking referential transparency is completely unnecessary here. The correct way to accomplish this, I believe, is to add a mutable ByteString interface, and then a SecureByteString module wrapping it and actually making the promises you want.

...

Discussion period: one month

When handling sensitive information (like a user's password) it is desirable to only keep the data around for as short a time as possible. Specifically, relying on the garbage collector to clean it up is simply not good enough.

I therefore propose that the following function to be added to the Data.ByteString.Unsafe module:

-- | Overwrites the contents of a ByteString with \0 bytes. unsafeWipe :: ByteString -> IO () unsafeWipe bs = BS.unsafeUseAsCStringLen bs $ \(ptr, len) -> let go i | i < 0 = return () | otherwise = pokeElemOff ptr i 0 >> go (i - 1) in go (len - 1)

It is added to the Unsafe module because it break referential

On Sun, Jan 11, 2015 at 10:42 PM, Erik de Castro Lopo wrote: transparency

...

but since ByteStrings are always kept in pinned memory, it should not otherwise be considered unsafe.

It could be used as follows:

main = do passwd <- getPassword doSomethingWith passwd unsafeWipe passwd restOfProgram

Cheers, Erik -- ---------------------------------------------------------------------- Erik de Castro Lopo http://www.mega-nerd.com/ _______________________________________________ Libraries mailing list Libraries@haskell.org http://www.haskell.org/mailman/listinfo/libraries

---

Libraries mailing list Libraries@haskell.org http://www.haskell.org/mailman/listinfo/libraries