Re: Data.ByteString.Unsafe.unsafeWipe

12 Jan 2015


      In fact, it looks like Michael Snoyman has done some work on this
already: https://www.fpcomplete.com/user/chad/snippets/random-code-snippets/mutable-b...
 Perhaps he could be convinced to finish/release it.

David

On Sun, Jan 11, 2015 at 10:48 PM, David Feuer  wrote:
...
-1. Breaking referential transparency is completely unnecessary here.
The correct way to accomplish this, I believe, is to add a mutable
ByteString interface, and then a SecureByteString module wrapping it
and actually making the promises you want.
On Sun, Jan 11, 2015 at 10:42 PM, Erik de Castro Lopo
 wrote:
...
Discussion period: one month
When handling sensitive information (like a user's password) it is
desirable to only keep the data around for as short a time as possible.
Specifically, relying on the garbage collector to clean it up is simply
not good enough.
I therefore propose that the following function to be added to the
Data.ByteString.Unsafe module:
-- | Overwrites the contents of a ByteString with \0 bytes.
    unsafeWipe :: ByteString -> IO ()
    unsafeWipe bs =
        BS.unsafeUseAsCStringLen bs $ \(ptr, len) ->
            let go i
                    | i < 0 = return ()
                    | otherwise = pokeElemOff ptr i 0 >> go (i - 1)
            in go (len - 1)
It is added to the Unsafe module because it break referential transparency
but since ByteStrings are always kept in pinned memory, it should not
otherwise be considered unsafe.
It could be used as follows:
main = do
        passwd <- getPassword
        doSomethingWith passwd
        unsafeWipe passwd
        restOfProgram
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
_______________________________________________
Libraries mailing list
Libraries@haskell.org
http://www.haskell.org/mailman/listinfo/libraries