In my program, I have an encrypted database on the file system with a password. It is decrypted in RAM, and the sensitive data get spread out too much in RAM for mistake to be auditable easily enough. (Which rule out zeroing memory manually and using SecureString all over the place)
So what I think about doing is spawning a new process in a new windows desktop, asking the user to enter his password here, then decrypting the database, doing my stuff, then closing the child process immediately.
This make the whole thing very easy to audit. The sensitive data never leave out the child process, and the timespan where sensitive data is in RAM is limited to some milli seconds.
The question is : My solution works great only if Windows is effectively zeroing the memory after the process is closed. Is it a safe thing to assume ? (I know that the OS free the memory, but freeing and zeroing is not the same thing)
Do you see a better solution ? (easy to audit)
4
You must decide what you are protecting and against whom.
First, swap. Your application sensitive data can get to swap file and be extracted from there later. So, you must enable zeroing swap file on shutdown.
Second, who is attacking your application. I am pretty sure when ring3 application allocates memory it is already zeroed out. However, if attacker have Administrator access, he can:
- patch your application binary file so it will dump password/secret data to file
- patch your loaded application in memory, then see above
- continuously watch memory of your application until it exposes sensitive data unencrypted
- get direct access to physical memory and look there for sensitive data
Please notice – some of those scenarios do not require administrative privileges – running under the same user as your app will be enough!
1