Secure memory
Last updated
Last updated
If an attacker can retrieve sensitive data, like keys, passwords, and plaintexts, they can effectively bypass the associated cryptography. Therefore, it is recommended to limit the exposure of and protect such sensitive data in memory, reducing the likelihood of it being accessible to attackers.
Here are several steps you should take as a developer:
Use byte or char arrays over strings. Strings are immutable, meaning they can't reliably be erased and copies may be made. is also .
Use or with pinned: true
for allocations. This prevents .NET copying the memory around, allowing proper erasure.
Use to wipe arrays in a way that won't be optimised away by the compiler. This should be done as soon as the array is no longer needed and when an exception occurs. For example, you can call this method in a statement.
Use to try and avoid data swapping to disk.
Use , which take care of the above plus limit access to the memory at an operating system level. This protects against buffer overflows/underflows and other processes accessing the data.
Use a library like (a Go library, but a C# equivalent is in the works) that whilst using guarded heap allocations. This does all of the above whilst protecting against things like and .
Support using hardware that stores secrets and performs cryptographic operations on your behalf, like .
Of these, bullets 1, 2, and 3 are most important.
If going the extra mile, bullet 5 should be used instead of bullets 2, 3, and 4.
Overwrites a byte array with zeros.
buffer
has a length of 0.
Overwrites a char array or string with zeros.
buffer
has a length of 0.
Locks a byte array to try and avoid the contents being swapped to disk.
buffer
has a length that's not a multiple of PageSize
.
Unable to lock memory.
Overwrites a locked byte array with zeros before unlocking the memory.
buffer
has a length that's not a multiple of PageSize
.
Unable to unlock memory.
Provides access to guarded heap allocations, which can be used instead of regular allocations for additional security. However, there is a performance penalty, and this functionality SHOULD NOT be used for large amounts of variables/data due to system limits.
Do NOT assign the AsSpan()
return value to a span variable. This is a good way to crash your application. Instead, call AsSpan()
every time you want to access the memory.
Similarly, do NOT access the memory after calling NoAccess()
or try to write to the memory after calling ReadOnly()
. This will immediately crash your application.
size
is less than 1 or greater than MaxSize
.
Unable to allocate memory.
Unable to make memory inaccessible.
Unable to make memory read-only.
Unable to make memory readable and writable.
The object has been disposed.
These are used for validation and/or save you defining your own constants.
Guarded heap allocations have the following memory layout, with a few caveats:
The stored size in the first guard page refers to the canary plus data size rounded up to a multiple of the page size.
The length of the stored size in the first guard page depends on the platform, as does the page size.
The canary plus data does not necessarily take up a whole page; there may be padding at the beginning (unused memory) and multiple pages (if the data is large enough).
The canary is initialized with random bytes, and data is initialized with 0xdb
bytes to help catch bugs due to uninitialized data.
If access protection is not supported on the platform, the last page contains a canary at the beginning, meaning there can be two canaries with the same value surrounding the data. In this scenario, access to guard pages is not restricted.
Guarded heap allocations are not as fast as ordinary allocations and use up a lot more memory. Additionally, there are system limits on how much memory can be locked by a process. Therefore, use them sparingly for small amounts of data and test your application thoroughly.
Memory locking is not guaranteed with guarded heap allocations. For example, it may fail or not be supported on the system, in which case the function continues with no error.
It is RECOMMENDED to use a separate guarded heap allocation for each secret. This is less error prone whilst offering greater protection and access control.
As well as taking these steps as a developer, you can recommend users of your application do the following:
Limit the number of installed/running applications on their machine.
Harden their machine against malware.
Encrypt their OS drive.
Disable hibernation.
Disable memory dumps.
Disable swap files/the swap partition.
buffer
MUST be for this method to work properly.
buffer
MUST be for this method to work properly.
Also, calling this function on a string may crash the .NET runtime in the future. However, it doesn't currently based on my testing.
buffer
MUST be for this method to work properly.
It is RECOMMENDED to use instead, which perform memory locking/unlocking for you.
buffer
MUST be for this method to work properly.
It is RECOMMENDED to use instead, which perform memory locking/unlocking for you.
Memory locking uses on Windows and with and MADV_DONTDUMP
on Unix.
Guarded heap allocations require 3 or 4 extra pages of memory over a typical allocation. Allocations are done with on Windows and with MAP_NOCORE
or on Unix. on Windows and on Unix are used for the memory access restrictions.
The protection on Unix is to on Windows.