diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2019-06-15 23:26:31 -0400 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2019-06-15 22:26:31 -0500 |
commit | a869061d764604967e4cddd0311e1b11bd736920 (patch) | |
tree | a86f6f77ec122da041909494089ad3d0c42f01f9 /docs | |
parent | 5f8c8a31a7adef224436f8acc3f04147a92b3029 (diff) | |
download | cryptography-a869061d764604967e4cddd0311e1b11bd736920.tar.gz cryptography-a869061d764604967e4cddd0311e1b11bd736920.tar.bz2 cryptography-a869061d764604967e4cddd0311e1b11bd736920.zip |
Fixes #4731 -- update the secure memory wiping docs (#4925)
* Fixes #4731 -- update the secure memory wiping docs
* It's a word!
Diffstat (limited to 'docs')
-rw-r--r-- | docs/limitations.rst | 19 | ||||
-rw-r--r-- | docs/spelling_wordlist.txt | 1 |
2 files changed, 13 insertions, 7 deletions
diff --git a/docs/limitations.rst b/docs/limitations.rst index 6c58262f..5479a155 100644 --- a/docs/limitations.rst +++ b/docs/limitations.rst @@ -1,16 +1,21 @@ Known security limitations -------------------------- -Lack of secure memory wiping -============================ +Secure memory wiping +==================== `Memory wiping`_ is used to protect secret data or key material from attackers -with access to uninitialized memory. This can be either because the attacker -has some kind of local user access or because of how other software uses -uninitialized memory. +with access to deallocated memory. This is a defense-in-depth measure against +vulnerabilities that leak application memory. -Python exposes no API for us to implement this reliably and as such almost all -software in Python is potentially vulnerable to this attack. The +Many ``cryptography`` APIs which accept ``bytes`` also accept types which +implement the buffer interface. Thus, users wishing to do so can pass +``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite +the contents once the data is no longer needed. + +However, ``cryptography`` does not clear memory by default, as there is no way +to clear immutable structures such as ``bytes``. As a result, ``cryptography``, +like almost all software in Python is potentially vulnerable to this attack. The `CERT secure coding guidelines`_ assesses this issue as "Severity: medium, Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not consider this a high risk for most users. diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 47d37301..6e4675da 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -23,6 +23,7 @@ crypto cryptographic cryptographically Debian +deallocated decrypt decrypts Decrypts |