How to Secure Memory?

Sometime you might want to protect your data in memory - the greatest example is when dealing with anything related to passwords. It is simply not smart to keep that data around in a plain-text.

In .NET there are multiple methods you can use for this purpose, starting with SecureString, ProtectedMemory, and my favorite ProtectedData.

Each of these has its advantages and disadvantages and definitely each can find its place in a security toolbox. However, I prefer ProtectedData because it doesn’t require any Win32 API magic to read (as SecureString), nor it has any limitations on block length (as ProtectedMemory). As long as you are ok dealing with byte arrays, you can use it almost as a transparent storage.

Most of the times I end up having something like this (the most basic form):

private static RandomNumberGenerator Rnd = RandomNumberGenerator.Create();
private byte[] RawDataEntropy = new byte[16];
private byte[] RawData = null;

internal byte[] Data {
    get {
        if (this.RawData == null) { return new byte[0]; } //return empty array if no value has been set so far
        return ProtectedData.Unprotect(this.RawData,
                                       this.RawDataEntropy,
                                       DataProtectionScope.CurrentUser);
    }
    set {
        Rnd.GetBytes(this.RawDataEntropy); //new entropy every save
        this.RawData = ProtectedData.Protect(value,
                                             this.RawDataEntropy,
                                             DataProtectionScope.CurrentUser);
    }
}

On each write we let Windows encrypt the data using a random entropy (in addition to its standard encryption) while on every read we simply decrypt the data and return a copy of it. Care should be taken to delete copies lying around, i.e. when you set the property and encrypt data, you should delete the original. Best practice for delete is to use Array.Clear, e.g.:

Array.Clear(value, 0, value.Length);

I will leave it for reader’s exercise why that might be preferred to a simpler value = null.

PS: Note that, as soon as you convert bytes to a string (e.g. to show it to the user), you have signed capitulation as now you have an unencrypted copy of the protected data in memory. Yes, sometime you need to do it, but keep it brief.

Bimil and Summae

Illustration

After using it myself for last five years, I finally decided to give my password manager a version 1.00 designator.

It is a simple password manager using Password Safe database format. Unlike Password Safe, it allows for storage of credit cards and two-factor authentication keys. Give it a try and see whether you like it.

Other application that got slight version bump is Summae. It now supports per user context menu settings. On other hand, you cannot install it on Windows Vista and below. If you are using Windows 7 you are good. If not, upgrade. :)

Going Big With FAT32

Illustration

FAT32 is an aging file system with many faults. However, it does have one great advantage. It has been with us long enough that every OS supports it. Whether it is smallest IOT device or big mainframe (anybody uses those?), it will just simply work.

Because of that ubiquity I always keep one FAT32 formatted drive with me. It used to be 8 GB, then 4 GB, and now whooping 128 GB. And it is those 128 GB that posed a curious problem - Windows will allow you to format FAT32 only on disks 32 GB and less.

Mind you, that restriction doesn’t come from FAT32 design itself. If you use whooping 512 KB sectors and maximum count of 4,177,918 clusters, you can reach 2 TB. But, in order to keep backward compatibility with its NT-inherited 16-bit setup, Windows XP decided to drop sector size to 32 KB and inexplicably to limit total partition size to 32 GB (my guess is to promote NTFS). Mind you, it will read even bigger FAT32 volumes if they are already formatted. However, as soon as you try to reformat it first time, it will refuse to do so.

Solution is simple. Either go to ancient Windows 98 that actually supported FAT32 up to 127 GB (ok, that is a bit unrealistic), use pretty much any Linux distribution, or get a Windows application that will do formatting for you.

My go-to application is FAT32 Format. It is simple, free, works on any Windows version you throw at it, doesn’t require installation, and it has acceptable UI. For something one might need just once in a while, a perfect choice.

Not All EOLs Are Created Equal

As I was playing with the Wordpress shortcode methods, I came upon an interesting problem.

I wanted to change text in the particular line of the shortcode content and thus standard PHP explode and implode methods seemed like a best bet:

add_shortcode('something', 'something_callback');

function snippet_pre_shortcode_callback($atts, $content = null) {
    $lines = **explode('\n', $content)**;
    $lines[1] = "My line 2";
    return **implode('\n', $lines)**;
}

Nice and simple solution that didn’t work. The big content string I was sure had some lines, wouldn’t split. It took me a while to notice the error - single quote in PHP does not specify character but string with a minimal escaping. Most of the time they behave same as the double quotes which actually allow for much richer escaping.

Most annoying was that I knew this “feature” from before. However, too much work in the proper programming languages kinda made me overlook this trivial error multiple times while debugging. After taking a “frustration break” and coming back after 5 minutes, mistake was obvious.

The easy solution would be to swap one quotes for another. However, in this case a bit nicer solution exists - use the damn PHP_EOL constant:

function snippet_pre_shortcode_callback($atts, $content = null) {
    $lines = **explode(^^PHP_EOL^^, $content)**;
    $lines[1] = "My line 2";
    return **implode(^^PHP_EOL^^, $lines)**;
}

PHP, who wouldn’t love you… :/

Update All the Same

Illustration

Some might have noticed that pretty much all my current programs got an update. More observant among you might have noticed that update bears the same major and minor version. For example, QText was bumped from 4.10 to 4.10. Why is that?

Reason lies in the need to resign my executables as my current certificate expires on March 1st and after that date you wouldn’t get nice install prompt but ugly red one. Programs would work all the same but, based on what happened two years ago, I would be swamped with e-mails. To avoid any misunderstanding, I simply recompiled application with the new certificate. All functionality remains unchanged, it is just certificate that is new.

Developers among you might ask why I am not timestamping my signature so they are still valid after certificate expires. I am doing that but devil is in the details.

My previous certificate (bought from StartSSL), had lifetime signing “feature” (WTD_LIFETIME_SIGNING_FLAG). Somewhat unexpectedly this means not that your signature is valid forever, but that it expires together with certificates, regardless of timestamping. Go figure…

In any case, SSLStart gave me non-“lifetime” certificate this year so timestamping should work in the future beyond their expiry. If not, I will repeat this post in two years. :)