[Interest] QML and sensitive data

Ulf Hermann ulf.hermann at qt.io
Tue Sep 10 08:53:31 CEST 2019


> Just in case if someone will be looking for solution - I've managed to
> eliminate all the sensitive data from memory on closing particular QML
> screen without sacrificing existing architecture. The secret is pretty
> simple: just avoid situations when QString-s gets copied into JS
> strings:
> 1. Do not use QJsonArray as the model for QML, use QVariantList as the
> replacement instead. At least because QVariantList of QVariants of
> QStrings allows an access to QString if required.
> 2. Use Quick Controls 2 because they are implemented in C++ and thus
> doesn't result in creation of JS strings
> 3. On destruction of Quick Controls pass properties like 'text',
> 'displayText' etc to C++ where const_cast and nullify
> implicitly-shared buffer.
> Bonus: QJsonDocument provides nice 'rawData' function allowing to
> cleanup its internals if required.

I can _not_ recommend this approach. The string may get copied 
internally in many places. Bindings may be evaluated as JavaScript, 
necessitating a JavaScript string representation. The visual 
representation of the string may be generated at some point, passing the 
string through layers of rendering code. The string has to be assembled 
from input somehow, potentially by re-allocating and expanding a buffer 
as you type. The old buffer will not be erased, and the input events may 
be allocated and deleted on the heap, without erasing them before 
deletion. You can _not_ be sure that the string is completely erased 
from memory after theses steps.

And obviously const_cast'ing and nullifying a string is not thread safe. 
If you are running a threaded render loop, for example, you may just 
have created a race condition.


More information about the Interest mailing list