



is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.






So, at what point does using a SecureString actually become practical? Is it ever worth the extra development time to completely eradicate the use of a System.String object? Is the whole point of SecureString to simply reduce the amount of time a System.String is on the heap (reducing its risk of moving to a physical swap file)? If an attacker already has the means for a heap inspection, then he most likely either (A) already has the means to read keystrokes, or (B) already physically has the machine... So would using a SecureString prevent him from getting to the data anyways? Is this just "security through obscurity"?




As others have mentioned and as you have noticed by yourself, this isn't enough by itself. You have to make sure that every step of the process (including retrieval of input, construction of the string, usage, deletion, transportation, etc) happens without defeating the purpose of using SecureString. This means that you must be careful to never create a GC-managed immutable string or any other buffer that will store the sensitive information (or you'll have to keep track of that as well). In practice, this isn't always easy to achieve, because lots of APIs only offer a way to work with string, not SecureString. And even if you do manage to everything right... SecureString protects against very specific kinds of attack (and for some of them, it's not even that reliable). For example, SecureString does allow you to shrink the time window in which an attacker can dump the memory of your process and successfully extract the sensitive information (again, as you correctly pointed out), but hoping that the window is too small for the attacker to take a snapshot of your memory isn't considered security at all.









WPF的PasswordBox控件在内部将密码保存为SecureString。 System.Diagnostics。ProcessInfo的Password属性是一个SecureString。 X509Certificate2的构造函数接受一个SecureString作为密码。





你可以一个字符一个字符地构建它(例如从控制台输入),或者从非托管API获取它 您可以通过将它传递给非托管API (SecureStringToBSTR)来使用它。



... 或者像你提到的BSTR,这似乎并不安全


然而,在. net框架中支持SecureString的api非常少,所以你说它现在的价值非常有限是对的。




接受SecureString的. net API的一个例子是X509Certificate类的构造函数。如果您使用ILSpy或类似工具进行深入研究,您将看到SecureString在内部转换为非托管缓冲区(Marshal.SecureStringToGlobalAllocUnicode),然后在使用(Marshal.ZeroFreeGlobalAllocUnicode)完成时将其归零。



重要的 我们不建议你使用SecureString类new 发展。有关更多信息,请参见不应该使用SecureString


不要在新代码中使用SecureString。当将代码移植到。net Core时, 假设数组的内容在内存中没有加密。 处理凭证的一般方法是避免使用它们 相反,依靠其他方法进行身份验证,如证书或 Windows身份验证。

以下文本是从HP Fortify静态代码分析器复制的

文摘: PassGenerator.cs中的PassString()方法以不安全的方式存储敏感数据(即以字符串形式存储),使得提取敏感数据成为可能 通过检查堆来获取数据。

Explanation: Sensitive data (such as passwords, social security numbers, credit card numbers etc.) stored in memory can be leaked if it is stored in a managed String object. String objects are not pinned, so the garbage collector can relocate these objects at will and leave several copies in memory. These objects are not encrypted by default, so anyone who can read the process' memory will be able to see the contents. Furthermore, if the process' memory gets swapped out to disk, the unencrypted contents of the string will be written to a swap file. Lastly, since String objects are immutable, removing the value of a String from memory can only be done by the CLR garbage collector. The garbage collector is not required to run unless the CLR is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data.

建议: 将敏感数据存储在SecureString对象中,而不是存储在string等对象中。对象中存储其内容 在内存中始终保存加密格式。


As others have mentioned and as you have noticed by yourself, this isn't enough by itself. You have to make sure that every step of the process (including retrieval of input, construction of the string, usage, deletion, transportation, etc) happens without defeating the purpose of using SecureString. This means that you must be careful to never create a GC-managed immutable string or any other buffer that will store the sensitive information (or you'll have to keep track of that as well). In practice, this isn't always easy to achieve, because lots of APIs only offer a way to work with string, not SecureString. And even if you do manage to everything right... SecureString protects against very specific kinds of attack (and for some of them, it's not even that reliable). For example, SecureString does allow you to shrink the time window in which an attacker can dump the memory of your process and successfully extract the sensitive information (again, as you correctly pointed out), but hoping that the window is too small for the attacker to take a snapshot of your memory isn't considered security at all.
