During the career path of every developer there is a time when he must get some new knowledge about something he has not been familiar with yet. Today came the time to use WinDBG. Basic configuration was shown on the page so there is no real need to copy it. Additionally you can download sosex library (and of course copy it to the WinDBG directory) from here.
To check your configuration you can do the following. I found the idea on the mgrzeg but it was so interesting that I had to check it by myself. Let me get you be familiar with it. A problem covered by the mgrzeg was connected with the security of strings which were being stored in the memory. As it is known, when you want to implement for example a form where an end user will be entered their credentials you will probably store the credentials as instance of the String class (or in case of some operation: StringBuilder class). Are you sure it is safe?
Here is a source code (a copy from the mgrzeg page) which give you the answer.
We have got here three functions. Fun1 creates some string and then appends to it numbers from the range of 0 to 4. According to the String class specification there is no possibility to append any characters to any object of String type so the results of the operation will be a set of different strings. Method called Fun2 uses the StringBuilder class. It is some better solution than using String but from security point of view there is the same issue. Fun3 uses SecurityString. It is really good (the best from the presented here) solution. Why? Compile the code and open the executable file in WinDBG.
Then let the program go to the ReadKey code - press F5 and after the have got the message "What do we have in memory?" press CTRL-C.
Now load necessary libraries and try to find the string from functions Fun1, Fun2 and Fun3.
As you can see despite the fact that we have got local variables inside of the Fun1 and Fun2, when we are in Fun3 these variables are available (in other words - not processed by GC yet) so an attacker with some knowledge can access to them. What about the variable from Fun3 method? It is unavailable :)
No comments:
Post a Comment