Home > Others

. NET in-memory sensitive data protection scheme

Source: Internet
Author: User
Tags hash
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Concretely speaking,. NET metadata mechanism design, not only facilitates the realization of powerful features such as reflection, but also brings great hidden danger to code security and the security of program running. To date, no comparison of effective metadata visibility control methods has been found. Of course, this is not covered in this article. I'd rather be in this article on the target. NET's memory allocation mechanism discusses a more specific issue: how to protect sensitive data stored in memory?

Security issues caused by the hosting mechanism of string

A string is an object type that is used in code in a very high frequency. To improve the processing speed of strings and conserve memory space, Microsoft has designed a residency mechanism for the. NET string class. The approximate logical model is that most of the string is stored in a similar hash table, and the string is the key of the hash table, and the value for that key corresponds to a string's memory address. A string that has the same content is actually just the same string on the memory heap. It is said to be most, but not all, because a part of the dynamically created (concat) string is not entered into such a virtual hash table. The end of this article is attached to the string class source code, interested students can study.

This brings up the main problem that you cannot accurately control or predict the life cycle of a particular string. A sensitive data, such as a password, that is presented as a string is likely to persist in memory, but you predict that it will be garbage collected when it goes beyond the scope of a particular function. This allows the sensitive data to be saved to the local file pagefile when an operating system page change occurs, which is often possible. SYS, or when the operating system sleeps, sensitive data enters the Hiberfil.sys. A possible sensitive data disclosure process is:

Using the SecureString class

Now that string is unreliable, can we have any easy way to protect my sensitive data in particular? Luckily,. NET, starting with version 2.0, provides us with a set of solutions based on DPAPI-SecureString.

The SecureString class has the following attributes:

The content in the SecureString is after the encryption, not the plain text;

Using the encryption scheme of Windows DPAPI;

SecureString can only be used on NT based platforms

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to mask sensitive data in java data uri scheme discretionary data encoding scheme net err unknown url scheme padding scheme in rsa case sensitive in php php cache data in memory

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More