问题
When loading sensitive information into memory I want to make sure it is securely erased afterwards. I am working on a Javascript web app, and I want to make sure that my variables are securely overwritten when the value changes. Is simply reassigning the value enough to do this or is there something extra that needs to be done in order to overwrite the values in memory.
Or is this a hopeless cause that will forever cause security issues in my application?
I assume this is something that will vary by browser. Do all the major browsers guard against other processes reading the browser memory?
回答1:
It depends on the level of security you need. If you mean it is inaccessible to future Javascript programs running on the same page, yes, all you have to do is reassign the variables pointing to it. If you mean, so secure that a hardware-level analysis of the computer won't find the info, Javascript isn't the language you want.
回答2:
JavaScript don't even support pointers or any way to control whatever it does with memory. You simply cannot make sure that a overwriting in fact happened. The best you can do is unset the variables and pray to the garbage collector god that it will reuse the space they were holding with new stuff.
Also, its kind of pointless to try to protect this information in memory anyway, since:
- Your main preoccupation should be the fact that it will be transmitted over the network;
- It will be only possible to read it from memory if the client computer is compromissed;
- It is way easier to simply debug or adulterate the JavaScript code to make it hand you the information.
If you are relying in this JavaScript "security" to protect information you don't want the user to have access to, stop right now, because you can't. Even if you obfuscate the code it won't take 10 minutes to an experienced programmer to undo it, it doesn't even qualify as Security through obscurity, it's just no security at all.
回答3:
If you want to replace a value then just assign it a different value - what happens to the memory structures in the background is entirely obfuscated from the developer so there is no way to tell what happens (unless the code is open-source and you want to go rummaging around the innards) and whether it is consistent in every browser (doubtful) or whether it is handled securely (short of poking the memory yourself at run-time, again doubtful) but for a scalar value then it "should" not be re-allocating memory so assigning a different value may be sufficient.
If you want to delete a reference to an attribute of an object in JavaScript then you can use:
var x = { data: 'here', other_stuff: 'there' };
// do stuff
delete x.data; // remove the data attribute from the x object.
// do more stuff
delete x; // remove the x attribute from the current scope.
In this case - the delete keyword has nothing to do with memory management; instead, it just removes properties from objects so they can't be referenced. If all references to an object are removed then the object will be scheduled for garbage collection and the memory may be freed but you have no control over this process.
Basically, if you want security for (de-)allocating/overwriting memory then don't use JavaScript.
来源:https://stackoverflow.com/questions/20307697/how-can-i-be-sure-memory-is-being-overwritten-javascript