I've been trying to go through a couple of my C# libraries and a WPF application that uses them and replace plain-text, string passwords with SecureString
. I do have to convert a SecureString
back to a regular string in some places to interact with other libraries/web services over which I have no control, but I want to minimize the amount that I do that. I'm also trying to follow this article about how to do it correctly. Is there an easy way to monitor what strings end up floating around in memory from my code? I'd like to know how many points of weakness, s开发者_运维知识库o to speak, there are in my code with respect to sensitive data being in plain-text in memory.
One thing you can check is if your plaintext password is kept alive by the library, by adding a weak reference to it, and see how long it takes to go away. You can check if it helps to do some amount of forced garbage collect from time to time. But avoid doing forced GC in production code, especcially on servers.
But that's only half the problem: it depends mostly on what the other libraries do with your string. If they embed the password in some other string, and keep it referenced, it will be unsecured in memory without you having control over it.
精彩评论