c# - Memory Heap Security: String garbage collection -

-

i have been doing security code review company , using tool called fortify360. identify many issues code , describe problems. interesting issue has raised have not found other info on following:

"sensitive data (such passwords) stored in memory can leaked if stored in managed string object. string objects not pinned, garbage collector can relocate these objects @ , leave several copies in memory. these objects not encrypted default, can read process' memory able see contents. furthermore, if process' memory gets swapped out disk, unencrypted contents of string written swap file. lastly, since string objects immutable, removing value of string memory can done clr garbage collector. garbage collector not required run unless clr low on memory, there no guarantee when garbage collection take place. in event of application crash, memory dump of application might reveal sensitive data."

all of understand make sense , in research of issue pretty standard.

the question is: how solve issue? suppose class or classes in question cannot inherit idisposable(very large app, , class needed long after string in question). there alternate way of manual memory management dispose of specific string without calling garbage collector, gc.collect()??

appreciate in advance.

alex

if want avoid need use system.securestring, idisposable, hold sensitive data, holding onto minimum possible time required.

it's kind of ironic msdn sample code not dispose instance, either explicitly or using encapsulation.


Comments

Post a Comment

Popular posts from this blog

android - Spacing between the stars of a rating bar? -

-
ho can set spacing beween stars? thats ratingbar: ratingbar = (ratingbar) inflater.inflate(r.layout.ratingbar, null); ratingbar.setlayoutparams(new layoutparams(layoutparams.wrap_content, layoutparams.wrap_content)); the layout: <?xml version="1.0" encoding="utf-8"?> <ratingbar xmlns:android="http://schemas.android.com/apk/res/android" style="@style/mystyle" android:layout_alignparentright="true" android:layout_height="19dp" android:layout_width="wrap_content" android:numstars="5"> </ratingbar> the style: <style name="mystyle" parent="@android:style/widget.ratingbar"> <item name="android:progressdrawable">@drawable/android_r2_ratingstar_yellow</item> <item name="android:indeterminatedrawable">@drawable/android_r2_ratingstar_grey</item> </style> thanks, cheers you have
Read more

html - Instapaper-like algorithm -

-
does of algorithm extracts contents webpage? instapaper ? there 2 steps instapaper does: find main content block on page (excluding headers, footers, menus etc) from content block extract , format text to find content block (typically html block element, div containing key page text content) instapaper uses algorithm 1 used readability . can @ source of readability.js see what's going on, @ core tries find area on page highest text/link ratio, although has other simple scoring metrics (e.g. off top of head, things ratio of text commas, para elements etc) go heuristics. once have identified root node element, relevant content, you'll need format it, if want can pull node element containing text out of source document , insert yours, in reality you'll want remove existing styles , apply own, standard , feel. if want output nice text-only can use jericho's renderer . update1 : should mention else instapaper - follow 'pagination' links (
Read more

c# - How to execute a particular part of code asynchronously in a class -

-
i creating speech recognition engine that's going respond user commands.i have created button enable , disable speech recognition per user convenience.i have used dispose() of speech engine disable speech recoginition.here code private void button1_click(object sender, routedeventargs e) { engineon = !engineon; if (engineon) { speechengine = speech.createspeechengine(); //speech class creates , returns new speech engine. speechengine.audiolevelupdated += new eventhandler<audiolevelupdatedeventargs>(speechengine_audiolevelupdated); // use system's default microphone speechengine.setinputtodefaultaudiodevice(); speechengine.loadgrammar(new dictationgrammar()); // start listening speechengine.recognizeasync(recognizemode.multiple); } else { speechclass.myengine.dispose(); } } but disposal of speech obj
Read more