Frank Drebin said:
Understood..
And if you did this:
pass = new String();
pass = "mypassword";
pass = " ";
Are you suggesting the same thing happens? In that in the above example,
there is the current version of "pass" and two old versions that are flagged
for gc? Since the memory is already allocated - why wouldn't it just change
the actual memory data??
The "pass" variable is just a reference.
The "new" operator in .NET returns a REFERENCE to the
newly-created object on the heap.
In C++, the example would be:
String* pass = new System::String("1");
pass = new System::String("2, mypassword");
pass = new System::String("3, ");
So you see, string 1 and 2 are still there, you just
got rid of your reference them.
[paraphrased, this isn't necessarily 100% accurate]
[yes, I know .NET doesn't do reference counting, but
this is just for illustration]
Behind the scenes, when the new operator is called,
it allocates the memory on the heap and creates
a new Reference object to store the pointer in.
It has some type of collection of Referers and it
gives you a Referers token.
So the "pass" value actually just contains a
referer token to the actual reference.
When the variable/token goes out of scope, or you
assign null to your variable/token, .NET will
remove your token.
This is handy because .NET can move the memory
around whenever it wants and updates the
actual pointer without affecting your code
in any way.
When there are no more referers, .NET flags
the pointer for garbage collection.
So you see, just because you no longer have
a pointer to Strings 1 and 2, it doesn't mean
no one has a pointer to it.
1, 2, and 3 all are unique objects in different
parts onthe heap and "pass" has a completely
different value in all 3 cases.
The memory of 1 and 2 is still allocated,
and even after it's garbage collected, it might
not actually get zeroed out or overwritten until
a little later.
Secondly, what is the ultimate form you need for the password and why not
get it coverted as soon as possible. For example, if the password is coming
from a textbox - sha1 hash the password into a string - then you don't have
to worry about it..
Unfortunately, this is a very complicated problem. TextBox
has a Text property of type String which has a copy of the
password.
When you get a ref of the string from which to generate
the hash, it's possible that another copy might get created.
You might end up with 1-3 copies of the string in memory
<snip>
-c
Chad Myers said:
Frank Drebin said:
What's the trouble with just overwriting it with a new value?
pass = new String();
That doesn't work. All you're doing is creating a new
String object and replacing the pointer. The old string
object is still in memory, flagged for garbage collection.
However, the garbage collector may not run for a couple
minutes and it's possible a cracker could scan and see
it before that happens.
Strings are immutable, period. There is no way to
replace the contents in a string once it is created.
The only option might be to use a value type which
keeps it on the stack only for the life of the method
in which its used. You might write your own basic
string class which works with char[] (which is also
a value type).
That way no heap memory is ever allocated and
therefore harder to track down. However, there is
always that few seconds when the password is
visible on the stack. Perhaps some clever (and ugly)
coding in the Value type for working with the
char[] would insert random characters at predefined
spaces to throw off a casual observer.
Since this is still the same variable, I don't think the app hangs
on
to old
values - since they are unretreivable at that point. Right? Are you
overthinking the problem? Or am I missing something?
The memory has not yet been overwritten. The heap memory is
still allocated and the CLR still has a reference to that
memory slot. The reference will be flagged for garbage
collection and collected/free'd at the next available
GC slot. However, it's not clear whether .NET will zero-out
the memory, or just leave it there to be overwritten
later. My guess is that it DOES NOT zero-out the memory.
Alternatively, you might use unsafe code in C# to get
a block of memory in which to store the password
while you work with (of course you have to use old-style
C string logic which is ugly) and then zero it out
yourself when you're done.
-c
Hi All!
I want to clear the string contents from sensitive information
such as passwords, and etc.
It's always a case that password will appear as string at some point
or another. And i feel uneasy leaving it hanging in memory indefinitely
(especially in case when string is Interned).
So at leats for the case when string is not interned i propose:
string pass = Console.ReadLine();
if (string.IsInterned(pass) == null)
{
unsafe
{
fixed(void* pv = pass)
{
char* pb = (char*)pv;
for(int i =0; i<pass.Length; ++i)
pb
= '0';
}
}
}
Console.WriteLine(pass);
Note: explicit RuntimeHelpers.OffsetToStringData is not needed.
What do you all think about this?
