I would like to make the contents of a file uploaded to a web server unrecoverable after it has been used. My concerns are:
When the file is uploaded, is it stored in a temporary directory (e.g. Windows Temp directory) and how do I clear all traces from there?
Can the contents of the file be written to virtual memory and how do I ensure it is not or remove the contents once written?
If I encrypt the file, would I still have to worry about the contents being saved to the Temp directory, virtual memory or elsewhere before the file was encrypted?
Can I perform a secure delete in all the concerned about locations (temp, virtual memory, any others) and how do I do this?
Are there any concerns I have missed or an alternate way to achieve the stated goal?
N.B. This is an ASP.NET web application.
Edit: Thanks djeeg's for pointing out a link on how to relocate the temp upload directory to something more controllable.
Any feedback on the other points?
To make sure that a single file can't be recovered, you can use a “file-shredding” application such as Eraser to delete it. When a file is shredded or erased, not only is it deleted, but its data is overwritten entirely, preventing other people from recovering it.
Click Delete in the File Explorer Ribbon at the top of the window, or click the arrow underneath the Delete option and select Permanently delete. Clicking Delete sends the file to the Recycle Bin, while selecting the Permanently delete option deletes the file for good.
Right-click on the Recycle Bin and choose "Properties". Select the drive for which you want to delete the data permanently. Check the option "Don't move files to the Recycle Bin. Remove files immediately when deleted." Then, click "Apply" and "OK" to save the settings.
You can let wipe utility do the job for you.
If you are running ASP.NET on Mono/Linux, you can use the wipe
command via Process
class (ensure that wipe package is installed).
If you run Windows, the approach is the same. Use a wipe.exe
utility that performs hard cleanup when you need to safely dispose of the file.
I fond this website that distributes a free wipe.exe, which is not included in Windows standard installation (too bad).
Second way is to implement the Guttman algorithm, but I think it's cheaper to use someone else's code.
Bear in mind that wipe is very I/O intensive, don't wait for it to complete or you may slow down your application dramatically. Also, on highly loaded websites you might experience a significative slow down.
The SecureString
class helps you leave no trace of a string in memory. But when you work with files you actually work with streams. I'm not sure if worrying about the contents of volatile memory (even if you handle Wikileaks documents).
You must first perform a threat analysis telling you what are the major threats to memory. Here are some questions:
If answer is not yes you shouldn't worry about memory security
Even if you run on Windows, let me call "swap" the paging file, or virtual memory file, or whatever. You might think about disabling it (be sure you have plenties of RAM) or, else, you might think about encrypting it (but you get a performance drop).
But again, in order for somebody to scan your swap file at runtime, he must be root, or have physical access to the shut down server.
If data is too sensitive, I would go for disabling swap.
[Add] I'm sure that you already use SSL to upload the file, just in case you forgot some principles...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With