Is there a way to reliably delete / erase a variable (i.e. Key / Password) in JavaScript?
Crypto libraries for JavaScript exist today with sjcl , and hence a situation may arise where the password / key / secret / sensitivedata is stored somewhere in a variable in JavaScript.
I don't want to risk sensitve data leaked / exposed, and so I really would like to know if there is a way to reliably erase a variable in Javascript so that the memory used by the JavaScript Engine doesn't have any remaining information about its data? I, for example, would not want to rely on some GC to destroy data lazily, etc.
An example of code may appear in the answer that kills / wipes the variable, and also explains when (and if there are differences in what JavaScript browsers implement like / Nodejs) is it sure the data has been deleted?
Otherwise, if the task is not possible, I would appreciate an explanation as to why this is so, and also accept this as an answer
The goal is not to protect the user of the web page from accessing the script variable (this is not possible, I guess). The goal is to ensure that the javascript engine's memory does not store shadow / cached copies of data when needed. I want the data to be deleted so that no one (the attacker) can get the secret data by looking at the memory associated with the Javascript variables.
source to share
JavaScript is a garbage collector. In addition, there is no built-in deterministic resource management mechanism. You can create it, but the resource must be external.
Even if you create such a mechanism (for example, with an external C ++ module in Node), engines do not give you reliable guarantees when their copy of memory will be flushed. You will have to manually assign the same variable parts of the resource data and replace them with garbage yourself. It probably works, but there is still no guarantee at the engine level.
It's just not a problem. JavaScript implementations are built as well as they are now. No SecureString
. Nonetheless - smart people are working on ECMAScript (JS standard) variants that give you much stronger guarantees. This is a good first step towards solving the problem (but so far there is no such guarantee).
I don't even want to get started with browsers where browser extensions can easily get better interceptors than you and write over Function.prototype.call
and connect to every function call, JavaScript has some pretty powerful AOP capabilities, this instance.
One possible solution would be to run the entire program in a virtual machine that uses encrypted RAM, but I am against dragging and dropping my own cryptographic code. Generally, an attacker should not have access to your software RAM, in the first place, if they do, they can install a browser extension :)
source to share