As the brush with 2-tier apps continues, the usual recommendations to manage the memory from leakage is to overwrite it quickly once its use is over. Although, it does not prevents the leakage completely, it reduces the attack surface by a considerable extent. Fortunately, for .Net application there's a method called SecureString. This class allows you to keep string data encrypted in memory. But a few things to keep in mind. Liked the below points from a discussion from stackoverflow post:
Do you know how many times I've seen such scenarios(answer is: many!):
1.A password appears in a log file accidentally.
2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password.
3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all.
4.Some tools such as RedGate software that could capture the "value" of local variables in case of exceptions, amazingly useful. Though, I can imagine that it will log "string passwords" accidentally.
5.A crash dump that includes string password.
Do you know how to avoid all these problems? SecureString. It generally makes sure you don't make silly mistakes as such. How does it avoid it? By making sure that password is encrypted in unmanaged memory and the real value can be only accessed when you are 90% sure what you're doing.
In the sense, SecureString works pretty easily:
1) Everything is encrypted
2) User calls AppendChar
3) Decrypt everything in UNMANAGED MEMORY and add the character
4) Encrypt everything again in UNMANAGED MEMORY.
What if user has access to your computer? Would a virus be able to get access to all the SecureStrings? Yes. All you need to do is hook yourself into RtlEncryptMemory when the memory is being decrypted, you will get the location of the unencrypted memory address, and read it out. Voila! In fact, you could make a virus that will constantly scan for usage of SecureString and log all the activities with it. I am not saying it will be easy task, but it can be done. As you can see, the "powerfulness" of SecureString is completely gone once there's a user/virus in your system.
Do you know how many times I've seen such scenarios(answer is: many!):
1.A password appears in a log file accidentally.
2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password.
3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all.
4.Some tools such as RedGate software that could capture the "value" of local variables in case of exceptions, amazingly useful. Though, I can imagine that it will log "string passwords" accidentally.
5.A crash dump that includes string password.
Do you know how to avoid all these problems? SecureString. It generally makes sure you don't make silly mistakes as such. How does it avoid it? By making sure that password is encrypted in unmanaged memory and the real value can be only accessed when you are 90% sure what you're doing.
In the sense, SecureString works pretty easily:
1) Everything is encrypted
2) User calls AppendChar
3) Decrypt everything in UNMANAGED MEMORY and add the character
4) Encrypt everything again in UNMANAGED MEMORY.
What if user has access to your computer? Would a virus be able to get access to all the SecureStrings? Yes. All you need to do is hook yourself into RtlEncryptMemory when the memory is being decrypted, you will get the location of the unencrypted memory address, and read it out. Voila! In fact, you could make a virus that will constantly scan for usage of SecureString and log all the activities with it. I am not saying it will be easy task, but it can be done. As you can see, the "powerfulness" of SecureString is completely gone once there's a user/virus in your system.
Comments