Menu
I just answered a question where I said that while string interning is good it can be a security problem since a strings value can be easily accessed later on.
And while I'm quite sure this is true :-) I am not sure how easy it really is. I tried googling the topic but I got no relevant results (the google-fu is weak in this one), so then I try you folks on SO.
Do you know of any "easy" way to access the list of intered strings in an app domian? Must I use memory dumps and that stuff or is there a method like AppDomain.GetInteredStringsList()?
And related to that: How easy is it really to get any useful data from intered strings. Is it really a security hole to store sensitive data in strings?
747
It's not particularly easy - but it's doable.
Basically, if you've got anything which can take a memory dump, you could find bits of memory which look like they're string objects. (In particular, they'll all have the same "pointer to type information" at the start, so if you've got a sample string, you're away.)
By the way, this has little to do with interned strings. It's not like all strings are interned - only string constants, and strings which the user explicitly interns.
152
Is it really a security hole to store sensitive data in strings?
Yes, definitely yes!
sensitive security data should be stored using the SecureString class.
Edit:
because even interned strings are stored in the managed heap, using a tool to dump the heap, will reveal all strings in the application.
29
In a sensible application passwords are stored in character arrays so that they can be overwritten when they are not needed anymore.
33
Not impossible to do... although not necessarily through managed code. Anything that has access to a process dump (windb / sos / etc) will have no difficulty looking for strings.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
