|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Are .NET Caches Secure from Memory Dumps etc?I'm curious to know if sensitive data I store in, for example, the
HttpApplicationState, is safe from being obtained by non-authorised users? If it is not safe, how does one go about accessing the information? Mini-dump to examine stacks and heaps etc? Basically I use the registry to store encryption keys which I then AES key wrap with a KEK (Key Encryption Key). This is quite an expensive operation so I get my .NET application to grab all the keys, unwrap them and store them in clear text in the HttpApplicationState. This got me worrying about how secure they were in memory, having gone to so much trouble to secure them in the registry then storing them in cleartext in memory potentially exposed??? Any comments much appreciated. Hello WebDev01,
they are stored in memory, and potentially swapped to disk if someone can attach a debugger to the worker process he can grab them from memory... and there is nothing you can do about it. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I'm curious to know if sensitive data I store in, for example, the > HttpApplicationState, is safe from being obtained by non-authorised > users? If it is not safe, how does one go about accessing the > information? Mini-dump to examine stacks and heaps etc? > > Basically I use the registry to store encryption keys which I then AES > key wrap with a KEK (Key Encryption Key). This is quite an expensive > operation so I get my .NET application to grab all the keys, unwrap > them and store them in clear text in the HttpApplicationState. This > got me worrying about how secure they were in memory, having gone to > so much trouble to secure them in the registry then storing them in > cleartext in memory potentially exposed??? > > Any comments much appreciated. > Thanks for your reply. The app resides on a locked down and hardened OS so I
will try to further reduce the risk of a debugger being installed somehow ... I've decided to store the variables not in clear text but encoded ( a little XOR here and there etc) to at least make it difficult to assertain the type of data being stored ... a little obfuscation ... someone would have to reverse engineer the assemblies and workout how it works ... (assuming they get that far) I'll try my best to reduce the risk. Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hello WebDev01, > > they are stored in memory, and potentially swapped to disk > > if someone can attach a debugger to the worker process he can grab them from > memory... > > and there is nothing you can do about it. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > I'm curious to know if sensitive data I store in, for example, the > > HttpApplicationState, is safe from being obtained by non-authorised > > users? If it is not safe, how does one go about accessing the > > information? Mini-dump to examine stacks and heaps etc? > > > > Basically I use the registry to store encryption keys which I then AES > > key wrap with a KEK (Key Encryption Key). This is quite an expensive > > operation so I get my .NET application to grab all the keys, unwrap > > them and store them in clear text in the HttpApplicationState. This > > got me worrying about how secure they were in memory, having gone to > > so much trouble to secure them in the registry then storing them in > > cleartext in memory potentially exposed??? > > > > Any comments much appreciated. > > > > > > 
Other interesting topics
WindowsPrincipal in a component used in classic ASP always returns the same identity
Refresh .Net Framework policy Encrypting Logon Passwords File Permission System.UnauthorizedAccessException HttpWebRequest & https Failure Audit errors on device name How to protect *.mdb file from direct access by client Windows service and Certificate FREE New Indian oil for men! FREE New Indian oil for men! |
|||||||||||||||||||||||
