Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How To Ensure Uploaded File Contents Cannot Be Recovered After Use?

I would like to make the contents of a file uploaded to a web server unrecoverable after it has been used. My concerns are:

  1. When the file is uploaded, is it stored in a temporary directory (e.g. Windows Temp directory) and how do I clear all traces from there?

  2. Can the contents of the file be written to virtual memory and how do I ensure it is not or remove the contents once written?

  3. If I encrypt the file, would I still have to worry about the contents being saved to the Temp directory, virtual memory or elsewhere before the file was encrypted?

  4. Can I perform a secure delete in all the concerned about locations (temp, virtual memory, any others) and how do I do this?

  5. Are there any concerns I have missed or an alternate way to achieve the stated goal?

N.B. This is an ASP.NET web application.

Edit: Thanks djeeg's for pointing out a link on how to relocate the temp upload directory to something more controllable.

Any feedback on the other points?

like image 916
Laz Avatar asked Jan 18 '11 06:01

Laz


People also ask

How do you make sure files Cannot be recovered?

To make sure that a single file can't be recovered, you can use a “file-shredding” application such as Eraser to delete it. When a file is shredded or erased, not only is it deleted, but its data is overwritten entirely, preventing other people from recovering it.

How do I ensure a permanently deleted file?

Click Delete in the File Explorer Ribbon at the top of the window, or click the arrow underneath the Delete option and select Permanently delete. Clicking Delete sends the file to the Recycle Bin, while selecting the Permanently delete option deletes the file for good.

How do I permanently delete files from my computer without recovery?

Right-click on the Recycle Bin and choose "Properties". Select the drive for which you want to delete the data permanently. Check the option "Don't move files to the Recycle Bin. Remove files immediately when deleted." Then, click "Apply" and "OK" to save the settings.


1 Answers

Disk security

You can let wipe utility do the job for you.

If you are running ASP.NET on Mono/Linux, you can use the wipe command via Process class (ensure that wipe package is installed).

If you run Windows, the approach is the same. Use a wipe.exe utility that performs hard cleanup when you need to safely dispose of the file.

I fond this website that distributes a free wipe.exe, which is not included in Windows standard installation (too bad).

Second way is to implement the Guttman algorithm, but I think it's cheaper to use someone else's code.

Bear in mind that wipe is very I/O intensive, don't wait for it to complete or you may slow down your application dramatically. Also, on highly loaded websites you might experience a significative slow down.

Memory security

The SecureString class helps you leave no trace of a string in memory. But when you work with files you actually work with streams. I'm not sure if worrying about the contents of volatile memory (even if you handle Wikileaks documents).

You must first perform a threat analysis telling you what are the major threats to memory. Here are some questions:

  1. Can someone access the server with an Administrator/root account with the ability to perform a memory dump? (Regular users can't read your memory and .NET prevents buffer overrun because of pointers being unused)
  2. Can someone physically access the server? Don't you trust your hosting provider enough? Do you run a virtual server instead?

If answer is not yes you shouldn't worry about memory security

Swap space security

Even if you run on Windows, let me call "swap" the paging file, or virtual memory file, or whatever. You might think about disabling it (be sure you have plenties of RAM) or, else, you might think about encrypting it (but you get a performance drop).

But again, in order for somebody to scan your swap file at runtime, he must be root, or have physical access to the shut down server.

If data is too sensitive, I would go for disabling swap.

[Add] I'm sure that you already use SSL to upload the file, just in case you forgot some principles...

like image 102
usr-local-ΕΨΗΕΛΩΝ Avatar answered Nov 15 '22 08:11

usr-local-ΕΨΗΕΛΩΝ