6

I am writing a .net(C#) windows application to store user passwords in it, like keypass, lastpass, roboforms etc.

To process the user data i have to keep it in memory this data also contains Passwords of the user.

Now my Questions are:

  1. Can someone read the Memory Data using some tool or memory dump?
  2. If yes then How? Can someone share such tool? i tried with CurrProcess, HeapViewer,ProcessExplorer and ProcessView applications but can't find any private data in memory dump,
  3. Do I need to learn something else to ensure the protection of in memory passwords.

Thanks

Mubashar
  • 12,300
  • 11
  • 66
  • 95

5 Answers5

9

You are correct in your concerns, strings in memory are not safe.

You're probably looking for the SecureString class.

EJoshuaS - Stand with Ukraine
  • 11,977
  • 56
  • 49
  • 78
Kobi
  • 135,331
  • 41
  • 252
  • 292
8

If you're concerned about someone snooping the RAM for passwords, then you have more significant issues. If a malicious user has access to the RAM, then it is trivial to drop a keylogger onto the machine, or to bypass where the keys are used in software, or to intercept the keys once they are decrypted. etc etc

The general rule is, if someone has access to the machine, then its game over security wise.

PaulG
  • 13,871
  • 9
  • 56
  • 78
  • 2
    -1 First this do not answer the question of the OP in any way and there your scenario is only one possible. There still can be a bug in the application which allows an attacker to read (random)memory. SecureString is perfectly valid for such a case as you can release it as soon as you don't need the object. With strings you can't. Othercases may be sensible information like credit card info when your webpage or application crashes and a memory dump is created (i.e. OS crashes and you submit the dump for developer to track it down). with string, now you also sent very sensible information away – Tseng May 19 '14 at 13:50
  • 1
    @Tseng. The questioner asked how he can protect password from someone using tools that directly access memory. My answer (which I stand behind) says if an attacker can access memory, then there is nothing you can do. Secure string may help in some rare cases, but it absolutely does not solve the issue. In your scenario the memory dump could be taken when sensitive information is in plain text. – PaulG May 21 '14 at 10:48
  • "1. Can someone read the Memory Data using some tool or **memory dump**?" explicitly includes memory dumps, which can also happen when your OS crashes and is submitted – Tseng May 21 '14 at 19:59
  • Although you have a point, valid scenarios exist where this can be a concern. Freezing memory can make it possible to recover data from it after a powerdown (after which you can restart with your own kernel). – Martijn Otto Dec 01 '15 at 08:27
4

Yes, there exist tools that capture all physical memory (and pagefile) for further investigation. They are called "forensic" and you can find some by adding this keyword to your searches. If you want to capture memory in your code (i.e. write such program yourself), this is possible using our RawDisk product.

As for protecting your passwords, Kobi mentioned SecureString class, which is supposed to securely store strings in memory. While this class is not a 100% protection ( the password is decrypted anyway when you use it ), but makes password capture much less likely.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
1

I'd suggest exploring source code of Keepass (version 2.xx). It is written in .NET, and it deals with same issues you're concerned about.

darioo
  • 46,442
  • 10
  • 75
  • 103
1

My experience is limited in security but I hope that this will be helpfull

  1. Yes, it's possible
  2. You can use WinDbg + SOS to get almost anything you want from object's internal representation
  3. There is a special class called SecureString in BCL that should fit your needs.
VoteCoffee
  • 4,692
  • 1
  • 41
  • 44
Andrey Taptunov
  • 9,367
  • 5
  • 31
  • 44