输入框中写入的密码不会通过堆栈跟踪易受攻击吗? [英] Aren't passwords written in inputbox vulnerable through a stack trace?
问题描述
我根本不是堆栈跟踪专家.我什至不知道如何得到它们.无论如何,我想知道在输入框中输入密码是否安全.不能通过获取堆栈跟踪来检索它吗?
I am not a guru of stack traces, at all. I don't even know how to get them. Anyway, I am wondering if entering a password entered in an inputbox is safe. Can't it be retrieved by getting a stack trace?
这样输入的密码会在很多地方找到:
A password entered that way will be found in many places:
- TEdit 的 Caption 属性
- 创建输入框的函数结果
- 可能是存储输入框命令结果的变量
- 等等……
如果答案是是的,这是一个漏洞",那么我的世界就崩溃了:p.可以做些什么来避免这个安全漏洞?
If the answer is "yes, it is a vulnerability", then my world collapses :p. What can be done to avoid this security hole?
注意:InputBox 是一个示例,但它可以带有自制"登录提示.
InputBox 是一个 Delphi 命令,但我没有用 Delphi 标签标记这个问题,因为我认为这个问题涉及任何语言.
NOTE: The InputBox is an example but it can be with a "homebrewed" login prompt.
InputBox is a Delphi command but I haven't tagged the question with the Delphi tag because I suppose that the question concerns any language.
推荐答案
这被称为密闭舱口问题,源于(至少一个来源)道格拉斯·亚当斯 (Douglas Adams) 的一本书中的一章,名为《The Hitchhikers Guide to the Hitchhikers Guide to the Hitchhikers Guide》.星系.在其中,我们的两个主角被一个大卫兵抬着并被扔进一个气闸,等待被疏散到太空中.在某些时候,我们的一个主角说他有一个解决方案,但它宁可涉及到密闭舱口的另一边.".
This is called the airtight hatchway problem, and stems (at least one of the sources) from a chapter in a book by Douglas Adams called The Hitchhikers Guide to the Galaxy. In it, our two protagonists are being carried by a large guard and dumped into a airlock, pending being evacuated into space. At some point, one of our protagonists says that he had a solution, but "it rather involved being on the other side of the airtight hatchway.".
让我解释一下.
如果你有一个破解者能够在你自己的机器上执行代码(或以其他方式成为"),那么你已经输了.那时饼干可以做很多事情.
If you have a cracker that is able to execute code (or in other ways "be") on your own machine, you have already lost. There's a ton of things that the cracker can do at that point.
所以你的第一道防线应该是防止坏人访问你的机器,如果你能处理好,安全就会变得容易得多.
So your first line of defense should be to prevent bad-guys access to your machine, if you can handle that, security becomes much easier.
所以不,这不是漏洞,它是您计算机工作的基本方式.
So no, this is not a vulnerability, it is the fundamental way your computer works.
在最简单的形式中,如果有人能够掌握运行中程序的运行时实时堆栈跟踪,这可能意味着他们已经将看起来像调试器的东西连接到您的程序并且能够调试"你的程序在运行时.断点可以轻松地从内存中获取数据,对其进行处理,然后在用户不知道发生任何事情的情况下恢复程序,但实际上,如果您可以在系统.
In the simplest form, if someone is able to get hold of runtime live stack-traces of your program in motion, it probably means they have hooked up something that looks like a debugger to your program and is able to "debug" your program as it runs. A breakpoint could easily grab data from memory, process it, and then resume the program without the user ever knowing anything has happened, but in practice, there are far easier way to get hold of such information provided you can execute code on the system.
现在,话虽如此,在 .NET 和许多其他运行时都支持尝试至少使其更难,而不是存储整个字符串,而是拦截输入框中的一个和一个键击,并对其进行编码与密码的其余部分一起,这样每个字符就不会以纯文本形式存储.
Now, having said that, in .NET and many other runtimes there is support for attempts to at least make it harder, by instead of storing the whole string, they intercept one and one keystroke into your input box, and encodes it together with the rest of the password, so that each character is not stored in plain-text.
但是,处理这个问题的代码使用起来非常麻烦,因为任何尝试以明文形式获取整个密码都会使整个练习变得毫无意义,所以除非你能够传递这样的编码密码 end-结束你的系统,这并没有太大帮助.
However, the code that handles this becomes very cumbersome to work with, simply because any attempt to get the whole password in clear-text would make the whole exercise pointless, so unless you're able to pass such encoded passwords end-to-end around your system, this won't really help much.
在 .NET 中,有问题的类是 System.SecureString.
In .NET, the class in question is System.SecureString.
但是,如果坏人可以在您的平台上执行代码,那么有什么办法可以阻止他截取击键并将它们组合在一起形成您的密码?
However, again, if the bad-guy can execute code on your platform, what is there to stop him from intercepting the keystrokes and just combining them together to form your password?
以下是一些包含类似问题示例的链接:
Here's a couple of links with examples of similar questions:
你可以看出我是陈瑞峰的粉丝.
You can tell I'm a fan of Raymond Chen.
这篇关于输入框中写入的密码不会通过堆栈跟踪易受攻击吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
