[Interest] QML and sensitive data
Alexander Ivash
elderorb at gmail.com
Thu Sep 5 09:37:48 CEST 2019
Crashes are already happening which means obviously I'm doing
something wrong. But what options do I have? Do I have it at all?
чт, 5 сент. 2019 г. в 09:37, Elvis Stansvik <elvstone at gmail.com>:
>
> Den tors 5 sep. 2019 01:22Alexander Ivash <elderorb at gmail.com> skrev:
>>
>> Thank you for fast response, but my question is purely about QML. On
>> C++ side I have a lot of ways for nullifying / erasing sensitive
>> information *after* it is not needed (let say after particular QML
>> screen gets' closed). But on QML / JS side I have no any control at
>> all. Would be great if one of QML guys could step in and comment too.
>>
>> Here is the small example illustrating my issue (all I need is to make
>> 'Piter Pen' to disappear from memory dumps):
>>
>> <main.qml>
>>
>> import QtQuick 2.12
>> import QtQuick.Window 2.12
>>
>> Window {
>> visible: true
>> width: 640
>> height: 480
>> title: qsTr("Hello World")
>>
>> Component.onCompleted: {
>> var test = "Piter Pen";
>>
>> // uncommenting results in a crash
>> // backend.cleanup(test);
>>
>> // doesnt' nullify "Piter Pen"
>> // gc();
>>
>> // doesn't work either
>> /*
>> Qt.callLater(() => {
>> gc();
>> })
>> */
>> }
>> }
>>
>> <main.cpp>
>>
>> #include <QGuiApplication>
>> #include <QQmlContext>
>> #include <QQmlApplicationEngine>
>> #include <random>
>> #include <chrono>
>> #include <QString>
>> #include <QByteArray>
>> #include <QDebug>
>>
>> class Backend : public QObject
>> {
>> Q_OBJECT
>> public:
>> explicit Backend(QObject *parent = nullptr) {
>> QString str1 = "Piter Pen";
>> QString str2 = str1;
>> QString str3 = str2;
>>
>> qDebug() << "str1:" << str1;
>> qDebug() << "str2:" << str2;
>> qDebug() << "str3:" << str3;
>>
>> cleanup(str1);
>>
>> qDebug() << "str1:" << str1;
>> qDebug() << "str2:" << str2;
>> qDebug() << "str3:" << str3;
>> }
>>
>> Q_INVOKABLE void cleanup(const QString& str) {
>> std::mt19937
>> eng(std::chrono::system_clock::now().time_since_epoch().count());
>> std::uniform_int_distribution<ushort> distribution;
>>
>> QChar* data = const_cast<QChar*> (str.constData());
>>
>> for(int i = 0; i < str.length(); ++i) {
>> data[i] = distribution(eng);
>> }
>
>
> Just a word of caution: Even if you had not gotten a crash, like Thiago said you need to be very careful here: A smart compiler could possibly decide that since the memory pointed to by data is not used after this, it can optimize this entire loop of yours away.
>
> Not saying that's going to happen, but you need to be very careful. I think there are platform specific memory-zeroing functions that could be used that are written with that in mind. At least I know OpenBSD has something like that.
>
>> }
>> };
>>
>> int main(int argc, char *argv[])
>> {
>> QCoreApplication::setAttribute(Qt::AA_EnableHighDpiScaling);
>>
>> QGuiApplication app(argc, argv);
>>
>> Backend backend;
>> QQmlApplicationEngine engine;
>> const QUrl url(QStringLiteral("qrc:/main.qml"));
>> QObject::connect(&engine, &QQmlApplicationEngine::objectCreated,
>> &app, [url](QObject *obj, const QUrl &objUrl) {
>> if (!obj && url == objUrl)
>> QCoreApplication::exit(-1);
>> }, Qt::QueuedConnection);
>> engine.rootContext()->setContextProperty("backend", &backend);
>> engine.load(url);
>>
>> return app.exec();
>> }
>>
>> #include "main.moc"
>>
>> чт, 5 сент. 2019 г. в 01:32, Thiago Macieira <thiago.macieira at intel.com>:
>> >
>> > On Wednesday, 4 September 2019 14:46:09 PDT Alexander Ivash wrote:
>> > > Is there any mechanism for cleanup sensitive data like passwords etc
>> > > from QML? This issue is that gc() doesn't seem to even nullify memory
>> > > (at least in release on Windows) so all the sensitive information
>> > > stays in memory.
>> >
>> > Write in C++ and manage your memory VERY carefully. Remember that memset()
>> > before free / delete or going out of scope is removed by the compiler.
>> >
>> > Don't use new or malloc. Instead, mmap() your chunk of memory yourself and
>> > mlock() it properly.
>> >
>> > Of course, to display such information you need to accept that it is no longer
>> > secure. It'll go to QML, then to the text engines, then the pixels will be
>> > transferred to the display server or the GPU, etc.
>> > --
>> > Thiago Macieira - thiago.macieira (AT) intel.com
>> > Software Architect - Intel System Software Products
>> >
>> >
>> >
>> > _______________________________________________
>> > Interest mailing list
>> > Interest at qt-project.org
>> > https://lists.qt-project.org/listinfo/interest
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> https://lists.qt-project.org/listinfo/interest
More information about the Interest
mailing list