[tor-dev] Deployability of Python software.

Watson Ladd watsonbladd at gmail.com
Fri Mar 2 22:36:26 UTC 2012

On Fri, Mar 2, 2012 at 3:58 PM, Arturo Filastò <hellais at torproject.org> wrote:
> We were discussing last night with George about deployability of python
> application on multiple platforms.
> By talking to some of the core python developers my understanding is that there is a way of
> securely storing keys in memory and wiping that memory region in python. It involves using
> bytearray. We you override a cell in a byte array you are not simply dereferencing the pointer
> to the python struct, you are actually overwriting that portion of memory.
> I think I might write a blog post about this and illustrate what other python crypto software is
> using to solve this problem (PyCrypto etc.).

What's the threat model here? On a single-user machine access to
memory usually means game over anyway: you can be rooted and the keys
read out.  Or is this a matter of making 1 application that works for
all threat models so that we can discover and root out bugs faster?

Watson Ladd

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the tor-dev mailing list