Does Bouncy Castle protect secrets from "leaking" in memory/pagefile, and other avenues of attack?

537 views Asked by At

Based on this question, I'm concerned about the following issues when dealing with secrets Bouncy Castle:

  • encryption (in case of memory dumps or page caching)
  • pinning in memory
  • ability to mark as read-only (to prevent any further modifications)
  • safe construction by NOT allowing a constant string to be passed in
  • optimizing compilers (see note in linked article re: ZeroMemory macro), but as it applies to .NET and a build from GIT

Question

  • Does Bouncy Castle use the required constructs in .NET to enable it to be built securely? (SecureString or equivalent direct operations)
  • Is the coverage of SecureString (or equivalent ) persistent throughout where needed in the library
  • Does Bouncy Castle have to be compiled in a certain way to prevent compiler optimizations from taking effect?
1

There are 1 answers

0
HenrikJohnson On

Not a definitive answer by any means, but just want to point out that once an attacker has the ability to read the heap without restrictions there really is nothing you can do programmatically to have complete security assuming you application at some point need to be able to access the secret data. All you can do is try your best to reduce the time span during which an attach is possible and trying to do your best to avoid it being committed to any permanent media (For instance by pinning the memory) during this time.

Secure string does not help you with this in C# since although it is stored encrypted in memory the key to access it is also stored in memory so as long as you have a full memory dump an attacker could still access it. Also if at any point you need to put your data in a string in C# you are also in trouble since strings are immutable and can't be overwritten.

Addressing your specific question in regards to Bouncy Castle just looking at the interface of it most likely assumes an attacker is not able to dump the memory of the machine running it since you generally pass it an array of bytes in and out and those would not be secure. But at least you are able to overwrite the contents of a byte array once you are done with it to reduce the time period of clear text being available in memory instead of just waiting for it to be overwritten by something else.