How to hide or remove sensitive data from getting exposed in memory dump?

In windows platform, python application data is getting exposed in the memory dump. Memory dump is taken by using process hacker tool.

def f1(self):
        # some code
        id = "<sensitive_string_data>"

If above example is considered, the value of id i.e., <sensitive_string_data> is exposed in the memory dump.

Is there any way to mark such variables as sensitive after the use and hide or remove it from memory dump?

Tried 3 options, but no use.

  1. by deleting the variable after its use
  2. by pointing the variable to None
  3. by deleting the variable and performing gc.collect()

Python strings are immutable at the Python level: the underlying memory is only modified incidentally by the implementation, as an “as-if” optimization.

If you need this level of control over memory, you will need to use some kind of mutable buffer type, ensure that the buffer is never reallocated (which would cause the implementation to move the data and leave the original underlying allocation alone), and presumably implement your own interface over top of that to interpret the data. bytearray is the most obvious choice for this. Then you would need to arrange a way to make sure the buffer is consistently zeroed out before being garbage-collected.

Of course, if your program is still using the “string” at the time that the memory dump is created, there is nothing that could be done about it in Python, or any other programming language. It is the same as how DRM can never be fool-proof. If you have access to the data, you have access to the data.

1 Like

It is worse the you know as the sensitive data may get written to the windows swap file as well.

There ate API to allocate memory that is never written to swap/page files. But these are only usable at the C level. It is also a skilled job not to leak the sensitive data outside of the special memory.

You might be able to write a C extension to do this so long as the sensitive data is never given to python, as it will then be leaked.