Protecting data using ProtectedMemory

Posted by dariosantarelli on November 8, 2007

If you are looking for a smart way to encrypt/decrypt sensitive data in memory in order to make them unreadable even in malicious memory dumps, maybe you need to use the ProtectedMemory class (namespace System.Security.Cryptography). This class is a managed wrapper included in the DPAPI (Data Protection API) and it works in the same way as ProtectedData (a similar class indeed used to persist encrypted strings in file/database): it exposes two static methods, Protect and Unprotect,  which allow you to encrypt/decrypt strings in memory. The only requirement you have to consider in order to avoid a CryptographicException  is about using 16-bytes blocks for computing encrypted/decrypted data. For example, the following code shows how to protect/unprotect a sensitive string in memory during a process execution:

using System.Security.Cryptography;

string OriginalString = “xxxxxxxxxxxxxxxx”;
Console.WriteLine(“Before Protect: “ + OriginalString);
byte[] OriginalBytes = Encoding.UTF8.GetBytes(OriginalString);
ProtectedMemory.Protect(OriginalBytes, MemoryProtectionScope.CrossProcess);
UTF8Encoding enc = new UTF8Encoding();           
Console.WriteLine(“After Protect: “ + enc.GetString(OriginalBytes));
ProtectedMemory.Unprotect(OriginalBytes, MemoryProtectionScope.CrossProcess);
OriginalString = Encoding.UTF8.GetString(OriginalBytes);
Console.WriteLine(“After Unprotect: “ + OriginalString);

Here the output:
Before Protect: xxxxxxxxxxxxxxxx
After Protect: 7j??‼8y_??PQ<?¶-
After Unprotect: xxxxxxxxxxxxxxxx

Some further considerations:

  • The Protect()/Unprotect() method works directly on the original data, not on a copy. So, we don’t need to explicitly destroy our sensitive strings after the use.
  • Many people use SecureString, a more intuitive class using ProtectedMemory to automatically encrypt strings. A SecureString can be modified till the MakeReadOnly() method call and can be programmatically disposed. Finally, its MemoryProtectionScope is SameProcess: a SecureString can’t be used in CrossProcess and SameLogon scenarios, in which there’re multiple applications running in different processes (CrossProcess) and allowing data encryption/decryption to the same Windows user (in particular cases, consider the impersonation technique).
  • I’ve noticed some strange behaviours by randomly analyzing the memory dump file after invoking the Protect() method on a string: sometimes the text I’d like to protect appears as clear text…mmmm…. Does Windows operate a swap on file system before data encryption? If this is a possibility, are my efforts unuseful?

One Response to “Protecting data using ProtectedMemory”

  1. The Q said


    I would like to point out that using ProtectedMemory to protect sensitive data can give you a false sense of hope. Although it does, as you correctly mention, encrypt the data, which would secure it against raw memory dumpts, it does not protect the memory very well. You can use the debugging API from another process to attach to the process and simply call Unprotect on the protected memory and then read it in clear text, even when the scope is SameProcess.

    I wrote a blog post to evaluate ProtectedMemory, where I in less than five minutes managed to retrieve the clear text data from another process using the protection scope SameProcess.

    You can read the article at http://www.hexadecimal.se/2009/02/14/NotSoProtectedMemory.aspx


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: