Data.ByteString.Unsafe.unsafeWipe

Carter Schonwald carter.schonwald at gmail.com
Mon Jan 12 04:08:24 UTC 2015 

David's idea is pretty cool!

wrt Erik's suggestion, I'd rather suggest instead
something like what Vincent's secure memory does,
which provides finalization support to a bytestring interface

https://hackage.haskell.org/package/securemem-0.1.4/docs/src/Data-SecureMem.html



-- | Allocate a foreign ptr which will be scrubed before memory
free.-- the memory is allocated on the haskell
heapallocateScrubedForeignPtr :: Int -> IO (ForeignPtr
a)allocateScrubedForeignPtr sz = do#if MIN_VERSION_base(4,6,0)
fptr@(ForeignPtr addr _) <- mallocForeignPtrBytes sz
addForeignPtrConcFinalizer fptr (scruber (Ptr addr))    return fptr
where !scruber = szToScruber sz#else    mallocForeignPtrBytes sz#endif


this code can totally be adapted to provide a scrubing finalizer to any
foreign pointer of interest, and indeed, it could be done as a helper
function for bytestrings a la

addFinalizer :: ByteString -> IO () -> IO ()

or something


On Sun, Jan 11, 2015 at 10:48 PM, David Feuer <david.feuer at gmail.com> wrote:

> -1. Breaking referential transparency is completely unnecessary here.
> The correct way to accomplish this, I believe, is to add a mutable
> ByteString interface, and then a SecureByteString module wrapping it
> and actually making the promises you want.
>
> On Sun, Jan 11, 2015 at 10:42 PM, Erik de Castro Lopo
> <mle+hs at mega-nerd.com> wrote:
> > Discussion period: one month
> >
> > When handling sensitive information (like a user's password) it is
> > desirable to only keep the data around for as short a time as possible.
> > Specifically, relying on the garbage collector to clean it up is simply
> > not good enough.
> >
> > I therefore propose that the following function to be added to the
> > Data.ByteString.Unsafe module:
> >
> >     -- | Overwrites the contents of a ByteString with \0 bytes.
> >     unsafeWipe :: ByteString -> IO ()
> >     unsafeWipe bs =
> >         BS.unsafeUseAsCStringLen bs $ \(ptr, len) ->
> >             let go i
> >                     | i < 0 = return ()
> >                     | otherwise = pokeElemOff ptr i 0 >> go (i - 1)
> >             in go (len - 1)
> >
> > It is added to the Unsafe module because it break referential
> transparency
> > but since ByteStrings are always kept in pinned memory, it should not
> > otherwise be considered unsafe.
> >
> > It could be used as follows:
> >
> >     main = do
> >         passwd <- getPassword
> >         doSomethingWith passwd
> >         unsafeWipe passwd
> >         restOfProgram
> >
> >
> > Cheers,
> > Erik
> > --
> > ----------------------------------------------------------------------
> > Erik de Castro Lopo
> > http://www.mega-nerd.com/
> > _______________________________________________
> > Libraries mailing list
> > Libraries at haskell.org
> > http://www.haskell.org/mailman/listinfo/libraries
> _______________________________________________
> Libraries mailing list
> Libraries at haskell.org
> http://www.haskell.org/mailman/listinfo/libraries
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20150111/d64d9de6/attachment-0001.html>

More information about the Libraries mailing list