内存堆安全性：字符串垃圾收集 [英] Memory Heap Security: String garbage collection

问题描述

我最近一直在为我的公司进行安全代码审查，并使用一个名为Fortify360的工具。它将识别代码中的许多问题并描述问题。一个有趣的问题，它提出我还没有发现任何其他信息如下：

$ b 存储在内存中的敏感数据（如密码）可以是如果它存储在一个托管的String对象中就会泄漏，String对象不是固定的，所以垃圾收集器可以随意重新定位这些对象，并在内存中留下多个副本，这些对象在默认情况下是不加密的，所以任何可以读取进程'内存将能够看到内容，而且，如果进程的内存被换出到磁盘，字符串的未加密内容将被写入交换文件。最后，因为String对象是不可变的，所以删除String的值内存只能由CLR垃圾回收器完成，除非CLR内存不足，否则垃圾回收器不需要运行，所以不能保证什么时候垃圾回收会发生。如果发生应用程序崩溃，应用程序的内存转储可能会显示敏感数据。

我所理解的所有这些都是非常有意义的，并且在我对这个问题的研究中非常标准。

问题是：我该如何解决问题？假设有问题的类不能继承iDisposable（非常大的应用程序，并且该类在需要的字符串之后很长）。是否有另一种手动内存管理的方式来处理特定的字符串而不调用垃圾回收器GC.Collect（）？

提前感谢帮助。 / p>

Alex

解决方案

如果您想避免这种情况，您需要使用 System.SecureString ，它是 IDisposable ，以保存敏感数据，只需要尽可能少的时间。

有趣的是，MSDN示例代码不是 Dispose 该实例，显式地或使用封装。

I have recently been doing a security code review for my company and using a tool called Fortify360. It will identify many issues with the code and describe the problems. An interesting issue it has raised that I have not found any other info on is the following:

"Sensitive data (such as passwords) stored in memory can be leaked if it is stored in a managed String object. String objects are not pinned, so the garbage collector can relocate these objects at will and leave several copies in memory. These objects are not encrypted by default, so anyone that can read the process' memory will be able to see the contents. Furthermore, if the process' memory gets swapped out to disk, the unencrypted contents of the string will be written to a swap file. Lastly, since String objects are immutable, removing the value of a String from memory can only be done by the CLR garbage collector. The garbage collector is not required to run unless the CLR is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data."

All of this I understand to make good sense and in my research of the issue is pretty standard.

The question is: how do I solve the issue? Suppose the class or classes that are in question cannot inherit from iDisposable(very large app, and the class is needed long after the string in question). Is there an alternate way of manual memory management to dispose of a specific string without calling the garbage collector, GC.Collect()??

Appreciate the help in advance.

Alex

解决方案

If you want to avoid this you need to use System.SecureString, which is IDisposable, to hold sensitive data, holding onto this only for the minimum possible time required.

It's kind of ironic that the MSDN sample code does not Dispose the instance, either explicitly or with using encapsulation.

这篇关于内存堆安全性：字符串垃圾收集的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！