Geek Answers Handbook

Memory Heap Security: Garbage Collection

I recently reviewed a security code for my company and used a tool called Fortify360. He will identify many problems with the code and describe the problems. The interesting problem that he raised about the fact that I did not find any other information is this:

"Sensitive data (such as passwords) stored in memory can be skipped if it is stored in a managed String. String objects are not pinned, so the garbage collector can optionally move these objects and leave several copies in memory. These objects are not encrypted. by default, so anyone who can read the process’s memory will be able to see the contents, and if the process’s memory is dumped to disk, the unencrypted contents of the string will be written to swap Finally, since String objects are immutable, deleting Nia line of memory can be performed only CLR garbage collector. The garbage collector is not required to run if no CLR is low in memory, so there is no guarantee for when garbage collection occurs. In the case of application memory dump application crashes can detect sensitive data. "

I understand all this to make sense, and in my research the problem is pretty standard.

Question: How can I solve the problem? Suppose that the class or classes in question cannot inherit from iDisposable (a very large application, and the class is required after the specified line). Is there an alternative way to manually manage memory to get rid of a specific line without calling the garbage collector, GC.Collect () ??

Appreciate the help in advance.

Alex

+7
garbage-collection security c # clr
source share
2 answers

If you want to avoid this, you need System.SecureString , which is IDisposable , to store sensitive data, holding it only for the minimum necessary time.

Paradoxically, the MSDN code example does not make the Dispose instance explicitly or using encapsulation.

+8
source share

Honestly, solving this “problem” will be more problems than it costs.

Saving user passwords in strings cannot be prevented by using technologies such as ASP.NET, unless you intend to encrypt strings on the client side before sending them, because ASP.NET will store them as strings in form collections, etc.

And if you went along the JS encryption route, note that any potential attacker will also be able to decrypt the strings that he recovered from your application.

However, if someone breaks into a web server, there is a chance that he could compromise the entire database. And this is much worse than collecting multiple passwords from a heap of a web server ...

Now, if this is not an ASP.NET application, and you have full control over how passwords are processed in code, you can take a look at SecureString . But you can still find that the minimal benefits outweigh the increased code complexity. It really depends on how bad the password leak will be, and how vulnerable your computers are to compromise in the first place. If you are not worried that any remote attacker will be able to debug your processes and receive snapshots of memory, this is really not a problem.

In short: if an attacker has the ability to extract these lines from a memory or swap , he also has the right to do things that are much worse .

+6
source share

More articles:


All Articles