Re: Destroy a string

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx>
• Date: Thu, 4 Jan 2007 01:43:31 +0100

---

"rossum" <rossum48@xxxxxxxxxxxx> wrote in message news:dhhop29evnktodbpniotoujsobi5ft7imh@xxxxxxxxxx

On Wed, 3 Jan 2007 16:13:58 -0600, "Ben Voigt" <rbv@xxxxxxxxxxxxx>
wrote:

"rossum" <rossum48@xxxxxxxxxxxx> wrote in message
news:c49op25un1a4lho1isikia8nvuueog06co@xxxxxxxxxx

On 3 Jan 2007 06:11:00 -0800, "Mark C" <MarkJohnCrosbie@xxxxxxxxx>
wrote:

I know a string is immutable, but is there any trick or any other way
to destroy a string

Thanks
www.quiznetonline.com

Not so much destroy the string as overwrite it:

/// <summary>
/// Overwrites a string in-situ. Useful for removing
/// evidence of keys, passwords etc.
/// </summary>
/// <param name="text">The string to overwrite.</param>
public static unsafe void OverwriteString(string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
} // end for
} // end fixed
} // end OverwriteString()

The string is still on the heap, but the sensitive information it
contained is no longer there.

The current location of the buffer is wiped, but if the string survived a
generation, the garbage collector has made copies :(

There may also be a copy on disk in swapspace, on automatic backups
and written on a post-it under the keyboard. It is not possible to be
completely secure, all that is possible is to make the attacker's job
more difficult.

rossum

That's why the SecureString was invented, it get's allocated in a non swappable fixed portion of the process heap, it's contents get's encrypted and it' doesn't need the GC to get wiped-out.

Willy.



.

---

• Follow-Ups:
  • Re: Destroy a string
    • From: rossum

• References:
  • Destroy a string
    • From: Mark C
  • Re: Destroy a string
    • From: rossum
  • Re: Destroy a string
    • From: Ben Voigt
  • Re: Destroy a string
    • From: rossum

• Prev by Date: Re: difference between private static and public static.
• Next by Date: retrieve list of databases from .net
• Previous by thread: Re: Destroy a string
• Next by thread: Re: Destroy a string
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Implementing strstr ... that string doesn't appear at all). ... const char* strstr(const char* haystack, const char* needle) ... (comp.programming) curses mouse cut/paste on solaris2.9, hangs on select(). Works fine on aix and linux ... The program works fine on solaris, if the user inputs the string from ... const char *defaultText = NULL; ... void tstWprintw; ... int main ... (comp.unix.solaris) Pinvoke reading files, returning char * values. ... const char* strInputFileName, ... back a string. ... public static extern bool GetXMLString(string inputFileName, ... StringBuilder output, ... (microsoft.public.dotnet.languages.csharp) Re: Whats wrong with the string? ... Then it is better to use "const char *" so that the ... >> putc() is a function to put a char on the serial console. ... the str could point beyond the end of your string. ... characters to characters. ... (comp.os.linux.embedded) copy constructors hurting performance ... I have a member function func(const String ¶m). ... String is passed as the param this is nice and efficient. ... I have a constructor which takes a const char* as an argument. ... performs a deep copy of the const char *buffer. ... (comp.lang.cpp)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.languages.csharp  > 2007-01