Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Wiping out value of a variable from physical memory in PHP

The general question is: Is it possible to remove value of the String variable from physical memory after that variable being unset in PHP?

The problem arised from certain requirements of security standards (there should be no way to dump data from memory to disk while processing certain vital data). According to "Is memory encrypted?" topic there is no good way to encrypt data in-memory.

So, when unsetting String variable in PHP you cannot say for sure that data in memory was overwritten. Same story about setting new value to variable.

Thus I'm interested if it is possible to wipe out variable value from memory without changing core code of unset method?

like image 316
WASD42 Avatar asked Oct 23 '22 02:10

WASD42


1 Answers

First of all, I'm not sure that wiping out the string will meet the security requirement you described, as one could still theoretically dump memory before the string is wiped anyway. But that's impossible to meet anyway, as you can't process data without having it in memory.

Anyway, if you want to ensure the string is wiped, I think the only way to do so in PHP is to loop through the string and modify each character: remember, the contents of memory do not go away until overwritten, even if you have no references to the variable and PHP GC has run.

I believe this will work:

for( $i=0; $i < strlen($str); $i++ )
    $str[$i] = 'x';
like image 56
kitti Avatar answered Nov 15 '22 04:11

kitti