Tracking confidential data in memory from my WPF application and C # libraries

Question

Tracking confidential data in memory from my WPF application and C # libraries

I am trying to go through a couple of my C # libraries and a WPF application that uses them, and replace the text string passwords with SecureString. I need to convert SecureStringback to a regular string in some places in order to interact with other libraries / web services that I have no control over, but I want to minimize the amount I make. I am also trying to follow this article on how to do this correctly. Is there an easy way to keep track of which lines end in memory from my code? I would like to know how many points of weakness, so to speak, are in my code regarding confidential data stored in text form in memory.

+3

debugging security c # securestring

Sarah vessels Jan 4 '11 at 21:32

source share

1 answer

user180326 · Accepted Answer · 2011-01-04T22:09:49+0000

One thing you can verify is if your plaintext password is supported by the library by adding a weak link to it and see how long it takes to leave. You can check if it helps to collect a certain amount of garbage from time to time. But avoid doing forced GC in production code, especially on servers.

But this is only half the problem: it mostly depends on what other libraries do with your string. If they insert a password in some other line and store it with a link, it will be insecure in memory if you do not control it.

Tracking confidential data in memory from my WPF application and C # libraries

More articles: