views:

150

answers:

2

I would like to transfer user name and password information from one process to another process running on the same server in Windows. What is the best approach to achieve this transfer in a secure way? One simple approach is to copy the passwords to a file and then have the other process read from a file and then delete the file once it is read. Though this is simple I am concerned if it is secure though since it is still possible for someone to gain access to this file even though it lives only for a short period of time & also has the possibility of the file being left out if the other processes errors out or crashes. IPCs like sockets and named pipes seems to be an overkill for this problem. I am more inclined towards using memory mapped files as explained in this link below which talks about sharing memory across processes. Is this the right approach? Also, is it a good idea to fill the memory with dummy data prior to freeing/erasing to prevent rouge processes from scavenging data from this memory location?

http://msdn.microsoft.com/en-us/library/aa366551(VS.85).aspx

+1  A: 

Use some IPC that (1) is not backed to disk, (2) supports ACLs.

This would seem to indicate named pipes.

Alternately DCOM and WCF both support content encryption.

Richard
It is really scary to know that just named pipes, wcf and DCOM are the only options for such a simple task. I am still siding with memory mapping. Any thoughts on that?
msvcyc
@msvcyc: Firstly security is never simple, secondly based on those crierta that's what I see. There are other options (e.g. SSL) but that means implementing your own access control.
Richard
+3  A: 

RPC is your friend here (I wouldn't use named pipes to transfer secured data because they have some serious issues (because they operate in a global namespace and thus are vulnerable to squatting attacks)).

Since the data isn't being passed on the wire, encryption isn't as important as some are describing. Instead have one process implement an RPC server and have the other end bind to that server, issue the RPC call with the credentials and destroy the binding handle - that should tear down the intermediate data structures.

Don't forget to securely zero out the memory when you're done using it (otherwise it might get persisted to disk).

If you DO want to use encryption, use CryptProtectMemory which will encrypt the data in a fashion that can be used for IPC.

Larry Osterman
Absolutely. Don't use named pipes or a memory mapped file. With either of these technologies you are likely to introduce a more severe vulnerability than the one you are trying to mitigate.
Chris Clark
Query: How does RPC avoid the naming squatting issue?
Richard
If you bind to a static endpoint (ncalrpc:\\myapp) you have squatting issues, but if you bind to a dynamic endpoint you don't (you need to be a bit careful but it's possible).
Larry Osterman