堆栈内存溢出
  简体   繁体   English

.NET中的数据保护

[英]Data Protection in .Net

 原文  2018-08-31 02:14:22       c#/ .net/ memory-management/ garbage-collection

问题描述

I am getting this question from our clients where they are saying if we do Copy-Paste or store data in a variable, then there are chances where data can be hacked where a hacker can get the data from RAM and use it before GC disposes of it. 我从客户那里得到这个问题,他们说如果我们进行复制粘贴或将数据存储在变量中,那么就有可能黑客攻击数据,黑客可以从RAM中获取数据并在GC处理之前使用它。它。

We generally don't dispose string objects where it gets stored in heap memory and will be collected by GC when it flushes the memory. 我们通常不会在存储在堆内存中的地方放置字符串对象,而是在刷新内存时由GC收集它们。

This is what I get about GC 这就是我对GC的了解

The memory that is used by allocated objects on the managed heap surpasses an acceptable threshold. 托管堆上分配的对象使用的内存超过了可接受的阈值。 This threshold is continuously adjusted as the process runs. 随着过程的运行,此阈值会不断调整。 The GC.Collect method is called. 调用GC.Collect方法。 In almost all cases, you do not have to call this method, because the garbage collector runs continuously 在几乎所有情况下,您不必调用此方法,因为垃圾收集器会连续运行

Is it possible where any hacker can get into RAM and read the data from it before GC flushes it? 在GC刷新之前,任何黑客都可能进入RAM并从中读取数据吗? If yes, then how can we overcome it. 如果是,那么我们如何克服它。

2 个解决方案

解决方案1
 1  2018-08-31 03:15:34

If the hacker can read memory in your process, the unpredictable lifetime of objects due to GC are the least of your problems. 如果黑客可以在您的进程中读取内存,则GC导致的对象不可预测的寿命是您最少的问题。 Any language is vulnerable to this kind of issue as computers effectively manipulate all data in memory (whether it's in a GC-able heap or elsewhere - C and assembly language need to store the data in memory too). 由于计算机可以有效地处理内存中的所有数据(无论是在可支持GC的堆中还是其他位置,C和汇编语言也需要将数据存储在内存中),因此任何语言都容易受到此类问题的影响。

Technologies exist (like Intel SGX ) that try to overcome this issue, but it too has exploits. 存在尝试克服此问题的技术(例如Intel SGX ),但它也有一些利用。 Fundamentally, no software only solution can stop bad folks once they can read your memory. 从根本上说,没有软件解决方案可以阻止坏人一旦读取您的内存。

解决方案2
 1  2018-08-31 03:37:54

I agree with the comments regarding the futility of trying to safeguard data in memory if an attacker already has the ability to read process memory entirely. 我同意这样的观点,即如果攻击者已经能够完全读取进程内存,则尝试保护内存中的数据是徒劳的。

That said many attackers will be attacking via exploits that allow imperfect access to subsections of system memory, meaning use of SecureString is still of practical utility. 那就是说,许多攻击者将通过允许不完全访问系统内存子区域的漏洞进行攻击,这意味着使用SecureString仍然具有实用性。

I recommend reading this thread for a discussion of the applications and limitations: When would I need a SecureString in .NET? 我建议阅读此线程以讨论应用程序和限制: 什么时候在.NET中需要SecureString?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 .NET 核心数据保护——用在什么地方? - .NET Core data protection - where is it used? 具有多个 web 应用程序的 .NET6 中的数据保护 - Data Protection in .NET6 with multiple web applications net core 2.2,跨应用程序共享数据保护令牌 - net core 2.2, share data protection tokens across applications 更改 ASP.NET 中的证书指纹 Core Data Protection API - Changing the Certificate Thumbprint in ASP.NET Core Data Protection API 是否可以禁用 ASP.NET Core 中的数据保护加密? - Is it possible to disable the data protection encryption in ASP.NET Core? 群集环境中的ASP.Net核心数据保护API - ASP.Net Core Data Protection API in a Clustered Environment ASP.NET Core OpenIdConnectServer数据保护密钥位置 - ASP.NET Core OpenIdConnectServer data protection keys location ASP.NET 数据保护 - 从 MachineKey 迁移 - ASP.NET Data Protection - Migrating From MachineKey 将 asp.net MachineKey 迁移到 asp.net 核心数据保护 - Migrating asp.net MachineKey to asp.net Core Data Protection 多平台数据保护 - Multi platform data protection
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM