Data.ByteString.Unsafe.unsafeWipe
David Feuer
david.feuer at gmail.com
Mon Jan 12 03:48:42 UTC 2015
-1. Breaking referential transparency is completely unnecessary here.
The correct way to accomplish this, I believe, is to add a mutable
ByteString interface, and then a SecureByteString module wrapping it
and actually making the promises you want.
On Sun, Jan 11, 2015 at 10:42 PM, Erik de Castro Lopo
<mle+hs at mega-nerd.com> wrote:
> Discussion period: one month
>
> When handling sensitive information (like a user's password) it is
> desirable to only keep the data around for as short a time as possible.
> Specifically, relying on the garbage collector to clean it up is simply
> not good enough.
>
> I therefore propose that the following function to be added to the
> Data.ByteString.Unsafe module:
>
> -- | Overwrites the contents of a ByteString with \0 bytes.
> unsafeWipe :: ByteString -> IO ()
> unsafeWipe bs =
> BS.unsafeUseAsCStringLen bs $ \(ptr, len) ->
> let go i
> | i < 0 = return ()
> | otherwise = pokeElemOff ptr i 0 >> go (i - 1)
> in go (len - 1)
>
> It is added to the Unsafe module because it break referential transparency
> but since ByteStrings are always kept in pinned memory, it should not
> otherwise be considered unsafe.
>
> It could be used as follows:
>
> main = do
> passwd <- getPassword
> doSomethingWith passwd
> unsafeWipe passwd
> restOfProgram
>
>
> Cheers,
> Erik
> --
> ----------------------------------------------------------------------
> Erik de Castro Lopo
> http://www.mega-nerd.com/
> _______________________________________________
> Libraries mailing list
> Libraries at haskell.org
> http://www.haskell.org/mailman/listinfo/libraries
More information about the Libraries
mailing list