Abstract
JavaScript does not provide web applications the ability to overwrite or clear variables of primitive types, such as strings, when they are no longer required. Applications instead need to rely on the garbage collector to eventually clear sensitive data from memory. When accessing input fields natively provided by the browser via JavaScript, their values are accessed through primitive type variables and thus affected by this limitation.
In this paper, we analyze how the popular browsers Chrome, Chromium, Firefox, Opera, and Edge handle input values in memory. We find that sensitive values almost always remain in memory several minutes longer than necessary.
We propose the JavaScript library SecPassInput that simulates a non-native input for passwords. The library does not rely on variables of a primitive type, thereby giving web applications the ability to clear and overwrite values in memory. We evaluate the security benefits of SecPassInput by measuring how long values remain in memory after they are no longer needed, finding that the on-screen keyboard of SecPassInput guarantees immediate removal from memory after triggering SecPassInput ’s clear operation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akhawe, D., et al.: Towards a formal foundation of web security. In: 23rd IEEE CSF 2010, pp. 290–304 (2010)
Chow, J., et al.: Shredding your garbage: reducing data lifetime through secure deallocation. In: 14th USENIX Security 2005 (2005)
Enck, W., et al.: Defending against attacks on main memory persistence. In: 24th ACSAC 2008, pp. 65–74 (2008)
Göktas, E., et al.: Undermining information hiding (and what to do about it). In: 25th USENIX Security 2016, pp. 105–119 (2016)
Gondi, K., et al.: SWIPE: eager erasure of sensitive data in large scale systems software. In: 2nd CODASPY 2012, pp. 295–306 (2012)
Götzfried, J., et al.: RamCrypt: kernel-based address space encryption for user-mode processes. In: 11th Asia CCS 2016, pp. 919–924 (2016)
Halderman, J.A., et al.: Lest we remember: cold boot attacks on encryption keys. In: 17th USENIX Security 2008, pp. 45–60 (2008)
Henson, M., Taylor, S.: Memory encryption: a survey of existing techniques. ACM Comput. Surv. 4, 53:1–53:26 (2013)
Jensen, S.H., et al.: MemInsight: platform-independent memory debugging for JavaScript. In: 10th ESEC/FSE 2015, pp. 345–356 (2015)
Lee, J., Chen, A., Wallach, D.S.: Total recall: persistence of passwords in Android. In: 26th NDSS 2019 (2019)
Maartmann-Moe, C., Thorkildsen, S.E., årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. Digit. Investig. 6, S132–S140 (2009)
Pienaar, J., Hundt, R.: JSWhiz: static analysis for JavaScript memory leaks. In: CGO 2013, pp. 11:1–11:11 (2013)
Rudafshani, M., Ward, P.A.S.: LeakSpot: detection and diagnosis of memory leaks in JavaScript applications. Softw. Pract. Exp. 1, 97–123 (2017)
Shi, W., et al.: InfoShield: a security architecture for protecting information usage in memory. In: 12th HPCA-12 2006, pp. 222–231 (2006)
Sweigart, A., et al.: PyAutoGUI (2021). pypi.org/project/PyAutoGUI/
Vilk, J., Berger, E.D.: BLeak: automatically debugging memory leaks in web applications. In: 39th SIGPLAN 2018, pp. 15–29 (2018)
Wang, F., Mickens, J., Zeldovich, N.: Veil: private browsing semantics without browser-side assistance. In: 25th NDSS 2018 (2018)
Wichmann, P.: SecPassInput: secure password input library (2023). https://github.com/wichmannpas/sec-pass-input
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wichmann, P., See, A., Federrath, H. (2024). SecPassInput: Towards Secure Memory and Password Handling in Web Applications. In: Meyer, N., Grocholewska-Czuryło, A. (eds) ICT Systems Security and Privacy Protection. SEC 2023. IFIP Advances in Information and Communication Technology, vol 679. Springer, Cham. https://doi.org/10.1007/978-3-031-56326-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-56326-3_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56325-6
Online ISBN: 978-3-031-56326-3
eBook Packages: Computer ScienceComputer Science (R0)