Home > Software engineering >  Use SecureString in Membership.ValidateUser(string userName, string password)
Use SecureString in Membership.ValidateUser(string userName, string password)

Time:10-10

I got Heap Inspection vulnerability issue in a security report when converting a SecureString password to string and then validate by the MembershipProvider function. I know that I should use char[] to handle password instead of string. But how can I pass char[] into the build-in function to avoid the issue?

public static string SecureStringToString(SecureString ss)
{
   return Marshal.PtrToStringUni(Marshal.SecureStringToGlobalAllocUnicode(ss)); //<---Heap Inspection issue
}
...

Membership.ValidateUser(UserName, SecureStringToString(pwd));

CodePudding user response:

Microsoft recommend that you don't use SecureString for any new development. See Remarks here:

https://learn.microsoft.com/en-us/dotnet/api/system.security.securestring?view=net-6.0

and linked GitHub advice here:

https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md

Don't use SecureString for new code. When porting code to .NET Core, consider that the contents of the array are not encrypted in memory.

To answer your actual question (examples in the link above). You are expected to build the secure string character by character as the credentials are entered. Passing a (complete) char array isn't much different from passing a string.

CodePudding user response:

But how can I pass [a SecureString] into the buil[t]-in function to avoid the issue?

You can't. Membership.ValidateUser does not have an overload accepting a SecureString. Why? We don't know. Maybe the ASP.NET Membership framework was not designed for high-security systems where hardening code against heap inspection is a business requirement.

Thus, you only have two options:

  1. Use a different (custom-built) user validation method or

  2. accept the fact that the password will linger around on the heap for some time.

  • Related