3

I'm currently looking into reliability features and exception handling of C# / .NET

These are especially the HandleProcessCorruptedStateExceptions attribute and CER s with PrepareConstrainedRegions.

Now I was reading the reference source code of the SecureString class, as this is a place where it is highly security critical to keep data encrypted even in exceptional situations, and found places similar like this:

[HandleProcessCorruptedStateExceptions]
//...

    RuntimeHelpers.PrepareConstrainedRegions();
    try
    {
        Unprotect();
        // ...
    }
    catch(Exception)
    {
        Protect();
        throw;
    }
    finally
    {
        Protect();
        // ...
    }

What is the reason for the catch block? Isn't the finally block sufficient to re-protect data?

Or could those corrupted state exceptions only affect catch and terminate the application afterwards?

ordag
  • 2,497
  • 5
  • 26
  • 35
  • Without the `finally` block, if no exception is thrown, `Protect()` is never called. (Unless it's called at the end of the `try` block but you omitted the line.) – millimoose Jan 23 '12 at 14:51
  • 3
    Right, but what about without the `catch`, which is the question. – George Duckett Jan 23 '12 at 14:53
  • In case of exception, I suppose `Protect` is actually called twice (catch and finally) - I wonder if that makes a difference somehow.. – Blorgbeard Jan 23 '12 at 20:05
  • @Blorgbeard Those multiple `Protect`s don't do something special. _(The second doesn't do anything because it knows it is already in a protected state)_ – ordag Jan 24 '12 at 10:25
  • this is the answer https://stackoverflow.com/a/62843347/1704458 – T.S. Jul 10 '20 at 22:57

2 Answers2

1

Code duplication in catch block is needed because of security breach in exception filtering feature (not provided by C#, but Visual Basic and others offer it). It allows malicious user to execute their code in your try-catch-finally block, after exception is caught and before finally block is executed.

Threat looks like this: Visual Basic user of your library causes exception after Unprotect() (even OutOfMemoryException by running out of memory), CLR finds no catch block, then CLR executes user's exception filter code, this code steals Unprotect()-ed data, and only then CLR executes Protect() in finally block.

So, put security cleanup code in both catch and finally blocks, usual cleanup stays in finally only.

anvish
  • 515
  • 7
  • 8
0

Finally blocks are almost always called, except in a few cases. See

Does the C# "finally" block ALWAYS execute? for more.

So yes, the protect is always called in the Finally.

Community
  • 1
  • 1
msarchet
  • 15,104
  • 2
  • 43
  • 66