Are there more secure alternatives to the .Net SQLConnection class?

views:

answers:

+6 Q:

Are there more secure alternatives to the .Net SQLConnection class?

Hi SO people, I'm very surprised this issue hasn't been discussed in-depth:

This article tells us how to use windbg to dump a running .Net process strings in memory.

I spent much time researching the SecureString class, which uses unmanaged pinned memory blocks, and keeps the data encrypted too. Great stuff.

The problem comes in when you use it's value, and assign it to the SQLConnection.ConnectionString property, which is of the System.String type. What does this mean? Well...

It's stored in plain text
Garbage Collection moves it around, leaving copies in memory
It can be read with windbg memory dumps

That totally negates the SecureString functionality!

On top of that, the SQLConnection class is non-inheritable, I can't even roll my own with a SecureString property instead; Yay for closed-source. Yay.

A new DAL layer is in progress, but for a new major version and for so many users it will be at least 2 years before every user is upgraded, others might stay on the old version indefinitely, for whatever reason.

Because of the frequency the connection is used, marshalling from a SecureString won't help, since the immutable old copies stick in memory until GC comes around. Integrated Windows security isn't an option, since some clients don't work on domains, and other roam and connect over the net.

How can I secure the connection string, in memory, so it can't be viewed with windbg?

+10 A:

If you control a machine to the extent that you can read another process's memory, you can also replace the reference to the SecureString class with a reference to string. You'll have access to any private keys that the other process can use.

There is no defense against a hacker that owns your process memory. :)

Andomar 2010-04-08 12:29:34

Fore sure, good point! What I am aiming for is reducing the surface area of attack. It's an interesting exercise in security at the least :)

Wez 2010-04-08 13:53:13

+4 A:

Not a real answer to the question but still:

Try to use windows authentication instead of sql authentication. Even if you manage to secure password in the program memory user can see it by using traffic sniffer.

Another advantage of windows authentication is that sql server does not need to store password hashes of users. With sql authentication determined hacker can bruteforce password from hash or substitute it with another one. Actually the password can be replaced very easily with use of some programs.

Giorgi 2010-04-08 12:39:25

I'd prefer this method too, however it's not an option for a third of the users, as they roam and connect remotely over the web sometimes.

Wez 2010-04-08 13:51:02

Please clarify: Are you saying your SQL Server instance is open to the world (public IP address and open port)? From your description it sounds like you have a desktop application running on the client computer, which is executing an SQL connection over the web, without VPN, to an open SQL Server. If that's the case you have a much bigger security concern then a complicated attempt to read the process memory on the client in the hopes of getting a password.

David 2010-04-08 14:07:43

Correct, albeit with a custom port, not the standard SQL port. Any specific concerns/links you're thinking of, regarding this risk? I'd love to approach management about this issue...

Wez 2010-04-08 14:45:24

+2 A:

Communication between a process and a Sql Server ideally happens on a backbone and if that is compromised then this is the least of your worries.

James Westgate 2010-04-08 12:49:12

The reason I focus on the client side, and not the transport, is last week we filed for copyright infringement, as a client decided to clone our system, we have screen shots, it's quite funny. This is what got me looking more in-depth into the security.

Wez 2010-04-08 13:57:06

+1 A:

Since it's a client-side desktop application, if you are wondering that your connection string credentials might be exposed to some hackers, this is a design flaw...

If you connect to your sql server with admin credentials, this is your problem. You should create a user with restrictions and use it in your app.

If you are affraid to expose your database, you could access a webservice from the app. This webservice would then access the database and return the results.

Frank 2010-04-08 13:59:44

The SQL credentials are limited, but because of the size of the system, as I said in the OP, the DAL service is for a major release. I'm looking for an alternative that would fit the current setup. Design flaw yes, definitely!

Wez 2010-04-08 14:48:37

So you can't add a user with limited credentials? Can you redirect your call to the database to an application/webservice located on your servers? Often when talking about a design flaw in security, the possible and _effective_ patch are **really** limited.

Frank 2010-04-08 14:51:44

Just pointing out, that 'hackers' mean client management and devs who try reverse engineer our system.

Wez 2010-04-08 14:52:37

I meant: we DO have users with limited credentials. We do NOT use the sa/admin account. You're right about the patch being limited, it's a tough one.

Wez 2010-04-08 14:55:16

ansaurus

tags:

views:

answers:

Are there more secure alternatives to the .Net SQLConnection class?

related questions