吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4674|回复: 0
收起左侧

[分享] Who knows of the .Net Secure Strings?

[复制链接]
Hmily 发表于 2010-11-21 01:33
IDA,">Who knows of the .Net Secure Strings?

[Warning this is not new stuff - but shouldn't be overlooked if you need to secure sensitive data in your application]

Isn’t “Secure String” an oxymoron for .Net? So if we are thinking about securing some sensitive data in say C or C++
its relatively simple load it into a char array memory and encrypt it, wiping the memory out after the information has been loaded.

Now try that with .Net! From the Microsoft site:

    “A String is called immutable because its value cannot be modified once it has been created.“

So how can you destroy one? Set it to empty? Well simply put you can’t :-) . Once your string is not longer referenced,
or worse yet your object containing the string its time for the Garbage Collector to come and do its work. The problem
is if your object has been around long enough to get into Generation 1 or 2 then it is going to take a bit longer.

Hmmm so in translation if you keep a password, Credit Card, encryption key or some other sensitive text in memory as
a string you cant destroy it (think memset for us oldies!). Only the GC can free the memory for you, and you are
dependent on HOW it frees that memory. I personally don’t know for a fact if it memsets it to blank, or just dereferences
the pointer. However I would be willing to bet it is the option that requires the least amount of work and that doesn’t
bode well for controlling the exposure of our sensitive data.

Plainly that proverbially sucks!

URL

Who knows of the .NET Secure Strings.rar

81.4 KB, 下载次数: 0, 下载积分: 吾爱币 -1 CB

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-15 07:11

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表