Jump to content

How does PHP store data in RAM..? Variables, output, passwords etc..?


Go to solution Solved by kicken,

Recommended Posts

I have a question about PHP, and how it stores data in RAM..

 

As we know, programs on a computer are run in RAM, and so, when I have a PHP script, and I am writing a string to a variable.... or when I am using file_get_contents to read data from a file into PHP... it's going to load it into RAM.....

 

You see.... what I am really asking is a security question....

 

On Linux, you can run the following command, to get the 1st approx. 1MB of RAM extracted into a file...

 

dd if=/dev/mem | hexdump -C > OUTPUTFILEHERE.txt

And so... if I were to run this command, I would get 1MB of data from the RAM, and I'm thinking... this could contain sensitive data from a PHP script, aka passwords....

 

Like... if I have the following PHP code....

 

<?php

$password = "my_password_here";

?>

.... then.... "my_password_here" might be stored in RAM, and thus, a hacker could extract the password out of RAM, and use it to compromise my security...?

 

And so.....I have 2 quetions....

 

(1) how does PHP store variables in RAM?

(2) if PHP does store it openly, what is the best way of wiping it...? Would over-writing the password variable with some junk.. manage to erase it from RAM..? Or... would I have to use some kind of PHP "flush" command...?

 

Thank you for reading :)

Uhm, if they can run that command they could just vi file.php and read it a lot easier.

 

Yeah, but see... I don't have the actual password stored INSIDE the PHP file.. I was just showing you an example, for the sake of this forum..... The actual script randomly-generates a password... .and then stores it...

 

So... back to my actual question, please..... Does anyone have an answer to my original question?

 

Thanks

An attacker could attempt a buffer overflow to retrieve sensitive data, while this is rare with an interpreted language such as PHP, it is possible. You can look at the PHP change log for bug fixes related to buffer overflow.

 

As to the password example:

The only version of a password that should be stored in RAM while PHP is using it should be a salted hash version of the password to be compared with the salted hash password stored in the database.

 

Basically my point with that is, you don't need to worry about it.

Edited by AyKay47

An attacker could attempt a buffer overflow to retrieve sensitive data, while this is rare with an interpreted language such as PHP, it is possible. You can look at the PHP change log for bug fixes related to buffer overflow.

 

As to the password example:

The only version of a password that should be stored in RAM while PHP is using it should be a salted hash version of the password to be compared with the salted hash password stored in the database.

 

Basically my point with that is, you don't need to worry about it.

 

No.... there is no point in using a hashed, salted version, because the password itself has to be, in its original form, generated and stored by PHP... and it is not actually stored in a file, but within the PHP script itself....

 

OK... The PHP script I have is like this...

 

<?php

$password = CODE HERE TO RANDOMLY GENERATE LETTERS AND NUMBERS ETC

write password to USB device.... then immediately unmount USB device

while (1 == 1) {

wait for USB sticks to be plugged in, encrypt files using the password generated by PHP

}

?>

And so.... the password never has to leave the PHP script.... it's never stored in any persistent file on the server... it's only on the USB stick, which is disconnected from the server, and used to generate encrypted files offline.... and then.... as I say... the only other place it's stored is within the PHP script on the server.

 

Like... you mention "database" in your post, but notice, I never said that I had a database, did I..? There is no database involved.... The password is only stored within the PHP file....

 

OK... this is an encryption program I am writing...

 

So again... I just want to know..... how do PHP scripts look when they are in RAM etc.. like, I just want to know what it looks like, OK..? I appreciate everyone trying to tell me other things, but I just want the ORIGINAL question answered...

 

Thanks

Edited by KingNeil

It looks like a bunch of 1's and 0's allocated to a certain memory address in the stack. there is your answer.

 

Since you are rude and clearly do not understand basic concepts like memory addressing.

Edited by AyKay47

If an attacker can access the values in RAM, you're already compromised.  As Jessica has stated, them dumping out your RAM is the least of your worries. They have access to your machine and file system.  But to answer your question, I'm almost certain your code is not stored in RAM as cleartext.  It's all hexadecimal.  Before it gets converted into hexadecimal, i'm not sure, probably C, assembly, then machine code.  I'm just guessing though, google How does the PHP interpreter work for better information.

If an attacker can access the values in RAM, you're already compromised.  As Jessica has stated, them dumping out your RAM is the least of your worries. They have access to your machine and file system.  But to answer your question, I'm almost certain your code is not stored in RAM as cleartext.  It's all hexadecimal.  Before it gets converted into hexadecimal, i'm not sure, probably C, assembly, then machine code.  I'm just guessing though, google How does the PHP interpreter work for better information.

 

Well... I know what data in RAM looks like, in general... For example, if I open a text file using gedit on Ubuntu, I can run the hexdump command, and I get something like this

 

OK... here is the command I use to dump RAM...

 

sudo dd if=/dev/mem | hexdump -C > output.txt

And here is a sample of the output...

 

00057f40  00 00 00 00 b6 00 00 00  68 00 74 00 74 00 70 00  |........h.t.t.p.|

00057f50  3a 00 2f 00 2f 00 66 00  6f 00 72 00 75 00 6d 00  |:././.f.o.r.u.m.|

00057f60  73 00 2e 00 70 00 68 00  70 00 66 00 72 00 65 00  |s...p.h.p.f.r.e.|

00057f70  61 00 6b 00 73 00 2e 00  63 00 6f 00 6d 00 2f 00  |a.k.s...c.o.m./.|

00057f80  69 00 6e 00 64 00 65 00  78 00 2e 00 70 00 68 00  |i.n.d.e.x...p.h.|

00057f90  70 00 3f 00 61 00 70 00  70 00 3d 00 66 00 6f 00  |p.?.a.p.p.=.f.o.|

00057fa0  72 00 75 00 6d 00 73 00  26 00 6d 00 6f 00 64 00  |r.u.m.s.&.m.o.d.|

00057fb0  75 00 6c 00 65 00 3d 00  70 00 6f 00 73 00 74 00  |u.l.e.=.p.o.s.t.|

00057fc0  26 00 73 00 65 00 63 00  74 00 69 00 6f 00 6e 00  |&.s.e.c.t.i.o.n.|

00057fd0  3d 00 70 00 6f 00 73 00  74 00 26 00 64 00 6f 00  |=.p.o.s.t.&.d.o.|

00057fe0  3d 00 6e 00 65 00 77 00  5f 00 70 00 6f 00 73 00  |=.n.e.w._.p.o.s.|

00057ff0  74 00 26 00 66 00 3d 00  31 00 33 00 00 00 00 00  |t.&.f.=.1.3.....|

 

So... interestingly enough, Firefox seems to have stored some info, from this very thread that I am posting in right now.... So actually, no, Jessica, it does not look like 1s and 0s.... the Hexdump command actually gives you the real data from RAM....

 

And so... I really just want to know if PHP would store things, like, the password, in a readable format, in the same way that the URL PHPFreaks is readable in the dump I posted above...

 

Thanks

Edited by KingNeil

If an attacker can access the values in RAM, you're already compromised.  As Jessica has stated, them dumping out your RAM is the least of your worries. They have access to your machine and file system.  But to answer your question, I'm almost certain your code is not stored in RAM as cleartext.  It's all hexadecimal.  Before it gets converted into hexadecimal, i'm not sure, probably C, assembly, then machine code.  I'm just guessing though, google How does the PHP interpreter work for better information.

 

No, the data itself is stored base 2, the address itself is hexadecimal.

So actually, no, Jessica, it does not look like 1s and 0s....

I never said it did. You're being rather rude and demanding. You can't even read the replies?

 

However - you want to know what the command you run would show you with your own code - JUST DO IT FFS.

I never said it did. You're being rather rude and demanding. You can't even read the replies?

 

However - you want to know what the command you run would show you with your own code - JUST DO IT FFS.

 

Yeah... but the problem is.. Linux only allows you to extract 1MB at a time of RAM... I should have mentioned that... Like... for security reasons, the Linux kernel is compiled these days to only allow you to extract 1MB at a time with this command..

 

So, see.... I don't know where PHP is going to store its file... Like.... It may store it mid-way somewhere in the RAM, and thus, my command wouldn't show the info.... Do you see what I'm saying.? Sorry if I'm coming across as rude.... I love it that everyone is helping me for free... I'm not trying to be rude at all...

 

OK... here is the information on the hexdump command, regarding the 1MB thing...

 

http://www.rootninja.com/using-dd-to-search-for-strings-in-memory-or-devices/

 

if your kernel was compiled with STRICT_DEVMEM=y (see e.g. /boot/config-KERNELVERSION) then only the first 1MB is read from /dev/mem . This isn’t so much a kernel version issue, as a result of how your own machine’s kernel was compiled; most distro kernels will have this restriction in place for good reason.

 

You can download and insmod the forensic kernel module fmem to work around this; at your own risk! rmmod it as soon as possible afterwards. The fmem module provides a /dev/fmem device without any security restrictions.

Edited by KingNeil

There are other methods in which you can dump your RAM to disk, quite easily too. Even if /dev/mem only shows 1 MB.

Also, PHP is not responsible for where stuff gets saved in the RAM, that's the OS' job. A job which it does at random, to prevent attackers from targeting specific applications with the aforementioned buffer attacks.

 

However, dumping /dev/mem requires root permissions, at which point the whole security issue becomes moot. Root trumps all. Period. Which is what people have tried to tell you.

This is like trying to figure out how to lock the window in your attic, in a three story house, when you've just had a hurricane blow out all of the windows and doors in the rest of your house.

Edited by Christian F.

Personally, I agree with Jessica, if someone can access your RAM then this discussion is pointless. That person could implement a type of man in the middle attack to get the password before it is even stored in memory. If someone has access to query the memory on the machine, then they could just as easily modify the PHP files to display/store the password where they can get at it. But, you already stated the PW is stored in a file, so it would be a heck of a lot easier for that malicious user to get the PW there rather than interrogating the memory space.

 

But, for the sake of argument, take a look at this post: http://stackoverflow.com/questions/7244395/how-to-overwrite-php-memory-for-security-reason

Edited by Psycho

There are other methods in which you can dump your RAM to disk, quite easily too. Even if /dev/mem only shows 1 MB.

Also, PHP is not responsible for where stuff gets saved in the RAM, that's the OS' job. A job which it does at random, to prevent attackers from targeting specific applications with the aforementioned buffer attacks.

 

However, dumping /dev/mem requires root permissions, at which point the whole security issue becomes moot. Root trumps all. Period. Which is what people have tried to tell you.

This is like trying to figure out how to lock the window in your attic, in a three story house, when you've just had a hurricane blow out all of the windows and doors in the rest of your house.

 

First of all, you say other methods can be used other than /dev/mem... but then you didn't mention them...

 

Also.... of course I understand everyone's point about root access making the security moot... but you see.... I have my reasons for this.... OK.... you see... what if, I had a system, whch doesn't store any data at all..? OK... My system boots from a Ubuntu live disc, which is stored on a CD-R, so the OS can't even be overwritten, because, the next time it boots, it's booting from the very same CD-R, which can't be overwitten, because it's not CD-RW.

 

And then... as I've mentioned in this thread.. I use this randomly-generated password, in order to encrypt files, downloaded over the Internet, via the Tor anonymity browser.... and then... the PHP file writes the file to disk, using OpenSSL to encrypt it first.... and so... there are never any clear text files ever stored on the system...

 

Do you see what I am saying..? Like.. it wouldn't matter if someone had root access, because there isn't any data on the system in the first place...? The worst thing they could do is... deliberately shut down the computer, just to mess with me, for fun/annoyance.. Like... little pranks etc, but then, I could even write the OS so it doesn't allow shutdowns without me physically taking out the power cord on my machine...

 

Like... as I've noted in this thread, I am working on my own security software..... And so, I always make the assumption, like Wikileaks founder Julian Assange said, that if your computer is even connected to the Internet at all, then a good hacker could get into your system.... And thus, I always assume that my internet-computers ARE hacked.... And thus, I figured, just assume that it's hacked, but so long as everything on there is encrypted, then it's irrelevant, because AES-256 is the strongest encryption that we know of (unless the NSA can secretly crack it with quantum computers lol)... and thus.... it's OK if it's all hacked, because you can just encrypt everything on it, meaning, all that a hacker could ever retrieve is encrypted AES files...

 

And so.... this is why my original question was about getting the contents of RAM.. because, if you ever studied the documentation for TrueCrypt, it says, the only weakness is, the decryption key is stored in RAM... and thus, I was wondering what PHP does in RAM, in order to figure out if a hacker could retrieve the password for RAM.....

 

OK... I didn't want to have to type out all the specifics of what I was doing, but now I have... and of course, I'm now open to critique about why my software isn't going to work... So yeah :)

 

OK.. so.. according to this thread, they are saying... just overwrite the variables, and then, they are gone with RAM... or.. go even further, and max out the PHP memory limit, of, say, 8MB by defaut on an Apache installation... like, write 8MB of junk data, and then it fills up the whole file, and thus, it's all purged from memory....

 

I guess that's a decent idea, and I thought about doing that... but then, it's like... it would take quite a while to generate 8MB worth of data, which might slow things down..., but yeah... I had thought of this solutiton... of padding out the file with junk data, and then it's all purged from RAM... I guess I'll just end up doing that, to be extra safe....

 

However, reading the Stack Overflow thread, someone said PHP strings are immutable, which, according to Wikipedia, means, it can't be changed after being written, so, it's never going to be purged from memory..? I'm not sure if that's true... Can anyone confirm or deny..?

 

It is almost like trying to fight back against people, by waiving your arms around in a pitch black room though... I mean... It would be really awesome if I could get a full RAM dump greater than 1MB, so I could see exactly what the PHP file looks like, but then again, it might be scrambled, so I wouldn't even be able to find it in the first place... so yeah... I guess I'll just have to fill the file with junk data and cross fingers, hope for the best lol... I mean... I'm trying to write a secure piece of software here, so I'd ideally like to be scientific and actually be able to see it in RAM... but lol.... I dunno.... Christian F said there were other methods, to get more than 1MB of RAM... so Christan, please let me know how.... although, remember, I said I'm booting this from a live disc, so, if it requires re-booting, it's useless, because RAM is wiped after a restart, obviously.

Edited by KingNeil

 

If you can't be bothered to do a little of your own research (ie, google it at least before demanding Christian answer you), what makes you think you're qualified to write "security software"?

 

This thread is getting a bit bitter now... lol... I dunno... You look quite pretty from your profile pic, Jessica... why so hostile..? lol...

 

Anyway... I get the basic idea here... The StackOverflow thread is full of people who are basically not sure... If you read the StackOverflow thread.. it's like... MAYBE this will overwrite the RAM, maybe this will overwrite the variable.... so... see.... Jessica... the only reason I asked... is not because I can't be "bothered" to research it... it's because the people in the thread itself are unsure themselves... Like, this is quite a niche area.... and so, no one seems to really know....

 

So yeah.. lol.. It's going to take a bit more research, and because I have no access to the full RAM, and I can't figure out the other methods that Christian said (hence, I have actually searched it, but I couldn't find the answer)

 

So... anyway, this is basically a minor point... Hopefully someone pops into this thread and answers it... but if not, then I can put this aspect of my software aside while I work on other parts.... In case you're interested, it's going to be software that does encrypted emails, phone calls, text messages, web browsing URLs, and website logins... PHP is only one of the languages used... but yeah...

 

So, nice talking to you all, and sorry if I offended anyone... lol :)

Edited by KingNeil

If you searched for it, you did a really poor job if you weren't able to find anything. Considering how easy it is.

 

When it comes to how PHP handles it memory, it sounds like you need to study garbage collectors in general, and how PHP implements it in particular. Not to mention how operating systems allocate, and de-allocate, memory. You also got to learn C, so that you can hack at the PHP code, seeing as you can't change the behaviour of PHP with PHP code: You'll need to edit the source code for that.

All in all, you have lots (not just a bit) to learn about security with regards to memory management, before you can go about mucking about with it. If you don't have 100% control over what you do, you are liable to actually add security flaws rather than fixing any (perceived) flaws.

 

Also, encrypting your disk doesn't do squat against someone who breaks into your computer. What disk encryption is good for, is in case people run off with your disk (or computer) and try to gain access to it from another system (or after the computer has been shut down).

If the disk is mounted on the system, and someone gains access to said system, they also (naturally enough) gain full access to the disk as well. Especially if they have root.

Edited by Christian F.

Well, Christian, you didn't link to how to dump RAM, just search engine searches for how to do it, which I obviously already searched for. Plus, I'm not encrypting the whole disk, but rather, files on it.. Plus, the files themselves aren't even stored on the disk, but an external USB, as I said.... but hey, don't bother reading what I actually typed.. just link me to a Google search.. lol...

 

Anyway, unless someone has the solution, then there's no point adding any more to this thread... I'll leave the thread here... lol

Jeez... Talk about being ungrateful. I'm not here to do the research for you, I gave you a starting point the rest is up to you. I even verified that the results contained the knowledge you asked for, all of this for free, to be kind.

What do I get back for it? "It's not good enough, do it for me" basically.

 

If you want me to do it for you, then I can. I, like Jessica, only charge about $100 per hour for jobs like this.

Jeez... Talk about being ungrateful. I'm not here to do the research for you, I gave you a starting point the rest is up to you. I even verified that the results contained the knowledge you asked for, all of this for free, to be kind.

What do I get back for it? "It's not good enough, do it for me" basically.

 

If you want me to do it for you, then I can. I, like Jessica, only charge about $100 per hour for jobs like this.

 

Only $100? Pff I charge $350. :P

(1) how does PHP store variables in RAM?

If the value exists in a variable, it will be available in "clear text" in memory.

(2) if PHP does store it openly, what is the best way of wiping it...?

You'll need to use that part of memory again. How you do that is far beyond the realm of a PHP support forum.

Would over-writing the password variable with some junk.. manage to erase it from RAM..? Or... would I have to use some kind of PHP "flush" command...?

Overwriting the variable, over even unset()-ing it, will not help. I don't know what you mean by "some kind of PHP "flush" command".

 

Summary

 

Yes, the value is visible in plain text.

 

Personally, I wouldn't worry about it: if an attacker can run something to read your PHP script's memory, they've already got privileged access to the machine.

  • Solution

PHP does not provide the necessary tools to ensure you remove data from RAM. The only way to ensure a piece of data is removed is to re-write that memory location with a new value. With PHP re-writing a variable would most likely just allocate a new memory slot while leaving the old one intact (just unreferenced).

 

For that level of control you need to use different language. C or C++ for example would let you re-write the memory where a value is stored. An alternative would be to develop an extension to PHP that offers a secure-erase function. There might be one that I don't know about, you could try doing some research.

Thank you to salathe and kicken....

 

You have both answered my question precisely....

 

The point is... PHP isn't going to purge it, and I'd need a different programming language.. OK.... Fine

 

What if I used the Ubuntu program, SDMEM (otherwise known as SMEM), which wipes the RAM, using multiple wipes..?

 

But yeah, this is starting to go beyond the scope of a PHP forum, so thank you very much.... I will consider this thread solved. Thanks.

Edited by KingNeil
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.