|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
System.String vs SecureStringI have three questions for my thesis (diploma) presentation: 1. Why is there no effective way to clear out a System.String object from the memory? Why can't a System.String object be programmatically scheduled for garbage collection? 2. When I convert a SecureString to a System.String object with Marshal.SecureStringToBSTR and zero-out the pointer with Marshal.ZeroFreeBSTR, how secure is the converted System.String object? Can this converted System.String object also not be deleted from memory from the GC? 3. How can an attacker read the managed memory (heap)? Which tool can be used for this attack? Where can I find more detailed (technical) informations? Thanks, andersch Scan the blog of Shawn Fa (http://blogs.msdn.com/shawnfa/rss.xml).
He has some entries on these matters. -- Show quoteHide quotergds. /Claus Konrad "andersch" wrote: > Hi > > I have three questions for my thesis (diploma) presentation: > > 1. Why is there no effective way to clear out a System.String object from > the memory? Why can't a System.String object be programmatically scheduled > for garbage collection? > > 2. When I convert a SecureString to a System.String object with > Marshal.SecureStringToBSTR and zero-out the pointer with > Marshal.ZeroFreeBSTR, how secure is the converted System.String object? Can > this converted System.String object also not be deleted from memory from the > GC? > > 3. How can an attacker read the managed memory (heap)? Which tool can be > used for this attack? > > > Where can I find more detailed (technical) informations? > > Thanks, > andersch Hi
Thanks for your input, but I can't find an answer to my questions. :-( Show quoteHide quote "Claus Konrad" wrote: > Scan the blog of Shawn Fa (http://blogs.msdn.com/shawnfa/rss.xml). > He has some entries on these matters. > -- > rgds. > /Claus Konrad > > > "andersch" wrote: > > > Hi > > > > I have three questions for my thesis (diploma) presentation: > > > > 1. Why is there no effective way to clear out a System.String object from > > the memory? Why can't a System.String object be programmatically scheduled > > for garbage collection? > > > > 2. When I convert a SecureString to a System.String object with > > Marshal.SecureStringToBSTR and zero-out the pointer with > > Marshal.ZeroFreeBSTR, how secure is the converted System.String object? Can > > this converted System.String object also not be deleted from memory from the > > GC? > > > > 3. How can an attacker read the managed memory (heap)? Which tool can be > > used for this attack? > > > > > > Where can I find more detailed (technical) informations? > > > > Thanks, > > andersch hi,
1. strings are immutable. everytime you touch a string, a new copy gets created - that scatters copies of the string around in memory. Even if the GC "collects" - that does not guarantee the memory is zeroed out - just that the memory is marked as free. 2. thats a plain string - no protection at all. 3. a normal debugger will do. SecureString only makes sense if there are APIs that use it. ATM there are two classes in 2.0 that make use of it, Process.Start and X509Certificate2 - i want to see a SqlConnection class and similar supporting SecureString. HTH --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi > > I have three questions for my thesis (diploma) presentation: > > 1. Why is there no effective way to clear out a System.String object > from the memory? Why can't a System.String object be programmatically > scheduled for garbage collection? > > 2. When I convert a SecureString to a System.String object with > Marshal.SecureStringToBSTR and zero-out the pointer with > Marshal.ZeroFreeBSTR, how secure is the converted System.String > object? Can this converted System.String object also not be deleted > from memory from the GC? > > 3. How can an attacker read the managed memory (heap)? Which tool can > be used for this attack? > > Where can I find more detailed (technical) informations? > > Thanks, > andersch Secure string seems to be a big waste of time. It can be seen with just a
little more effor then a normal string. So I currently don't get it. http://acorns.com.au/cs/blogs/parallelthinking/archive/2006/10/26/Hawkeye_See_SecureString.aspx -- Show quoteHide quoteWilliam Stacey [C# MVP] "andersch" <andersch@newsgroups.nospam> wrote in message news:BB23069D-DC48-4370-895A-2B9EE50121AD@microsoft.com... | Hi | | I have three questions for my thesis (diploma) presentation: | | 1. Why is there no effective way to clear out a System.String object from | the memory? Why can't a System.String object be programmatically scheduled | for garbage collection? | | 2. When I convert a SecureString to a System.String object with | Marshal.SecureStringToBSTR and zero-out the pointer with | Marshal.ZeroFreeBSTR, how secure is the converted System.String object? Can | this converted System.String object also not be deleted from memory from the | GC? | | 3. How can an attacker read the managed memory (heap)? Which tool can be | used for this attack? | | | Where can I find more detailed (technical) informations? | | Thanks, | andersch William,
I guess that this Hawkeye tool is able to decrypt the contents of the SecureString because it's running under the same process context (like a debugger). This allows Hawkeye to call CryptUnprotectMemory for the contents of the SecureString to retrieve its value. If it were running under a different process context, this call would fail. Typically, a program doesn't have the permission to attach itself to another process like that, so the scenario you're describing is actually a very particular case that shouldn't occur in production environments. I don't see it as a counterargument for the existence of the SecureString class. Regards, Pieter Philippaerts Show quoteHide quote "William Stacey [C# MVP]" <william.sta***@gmail.com> wrote > Secure string seems to be a big waste of time. It can be seen with just a > little more effor then a normal string. So I currently don't get it. > http://acorns.com.au/cs/blogs/parallelthinking/archive/2006/10/26/Hawkeye_See_SecureString.aspx > > -- > William Stacey [C# MVP] Hi,
you are right - but it also show that SecureString is not a panacea to all "keeping secrets needs" - as soon someone runs in the same logon session or can attach a debugger - you are hosed anyway.. The main purpose of secure string is to minimize clear text exposure of secrets in memory and to make it hard (to impossible) to recover them from crashdumps/page files. If the above attacks are part of your threat model - SecureString is valuable. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > William, > I guess that this Hawkeye tool is able to decrypt the contents of the > SecureString because it's running under the same process context (like > a > debugger). This allows Hawkeye to call CryptUnprotectMemory for the > contents > of the SecureString to retrieve its value. If it were running under a > different process context, this call would fail. > Typically, a program doesn't have the permission to attach itself to > another > process like that, so the scenario you're describing is actually a > very > particular case that shouldn't occur in production environments. I > don't see > it as a counterargument for the existence of the SecureString class. > Regards, > Pieter Philippaerts > "William Stacey [C# MVP]" <william.sta***@gmail.com> wrote > >> Secure string seems to be a big waste of time. It can be seen with >> just a little more effor then a normal string. So I currently don't >> get it. >> http://acorns.com.au/cs/blogs/parallelthinking/archive/2006/10/26/Haw >> keye_See_SecureString.aspx >> >> -- William Stacey [C# MVP] >> As Dominick is saying, the SecureString is the answer to some of the
questions regarding security. However not to all of them. Now, considering there are two main usage scenarios: 1. web-apps: why would you use SecureStrings at all? You consider your environment safe by default, so SS don't give you any extra security. 2. smart clients: any SS can be reversed. A very big difference between Hawkeye and a debugger is that in order to use a debugger you need debug privileges, which a normal user does not have. Hawkeye can run and give you the SS when run in the context of a simple user (not even power user). I would still use SS. As it was specified on a blog, a hacker needs to have good understanding of your application in order to be able to find the string inside your application. The whole point of this tool was to make people more aware of security and the ways it can be bypassed. I dont' consider it a "hackers' tool" but more a "developers' best tool". Corneliu. Show quoteHide quote "Dominick Baier" wrote: > Hi, > > you are right - but it also show that SecureString is not a panacea to all > "keeping secrets needs" - as soon someone runs in the same logon session > or can attach a debugger - you are hosed anyway.. > > The main purpose of secure string is to minimize clear text exposure of secrets > in memory and to make it hard (to impossible) to recover them from crashdumps/page > files. > > If the above attacks are part of your threat model - SecureString is valuable. > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > William, > > I guess that this Hawkeye tool is able to decrypt the contents of the > > SecureString because it's running under the same process context (like > > a > > debugger). This allows Hawkeye to call CryptUnprotectMemory for the > > contents > > of the SecureString to retrieve its value. If it were running under a > > different process context, this call would fail. > > Typically, a program doesn't have the permission to attach itself to > > another > > process like that, so the scenario you're describing is actually a > > very > > particular case that shouldn't occur in production environments. I > > don't see > > it as a counterargument for the existence of the SecureString class. > > Regards, > > Pieter Philippaerts > > "William Stacey [C# MVP]" <william.sta***@gmail.com> wrote > > > >> Secure string seems to be a big waste of time. It can be seen with > >> just a little more effor then a normal string. So I currently don't > >> get it. > >> http://acorns.com.au/cs/blogs/parallelthinking/archive/2006/10/26/Haw > >> keye_See_SecureString.aspx > >> > >> -- William Stacey [C# MVP] > >> > > >  
Other interesting topics
Security problems in .Net web application
X.509 Certificate store - getting - creating certs SecurityException thrown when serializing custom exception class Question on the use of CryptoStream WinForm user authentication COM+ Security error Credentials Double Hop encryption prob How do I determine if a windows identity is authenticated to the network domain Move.file |
|||||||||||||||||||||||
