[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 16:53:51 +0200

On Tue, Apr 12, 2011 at 15:25, Feldhacker, Chris
<Feldhacker.Chris_at_principal.com> wrote:
> CERT provides secure coding best practices:
> https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637
> Chapter 8 covers "Memory Management", with the following relevant topics:
> MEM03-CPP. Clear sensitive information stored in returned reusable resources
> MEM06-CPP. Ensure that sensitive data is not written out to disk
> Complete with good/bad coding examples.

And now for your homework: read them! Then try to understand what's
written there.

> Rationalizing why something is/is not a security issue by scenario examples or logic of "it would just be easier for an attacker to do X" misses the point and does not foster secure software.  Lots of really smart people have chewed on these problems for years and secure coding best practices have been established as a result.
> If TortoiseSVN doesn't want to follow secure coding best practices so be it, but trying to justify these decisions by arguing it's not a security issue runs counter to CERT and many other industry recognized security experts.
> Is the argument that secure coding best practices are wrong?
> Why not be safe rather than sorry?

Did I say that using best practices is wrong? Did I say that with even
one word or even hint at that?

I said that this is not a security issue. And I stand by that.

Ok, back to your links. By now you should have read what you wanted me
to read and hopefully you understand what's written there.

MEM06-CPP. Ensure that sensitive data is not written out to disk
preventing dumping sensitive info in a core dump: they do this by
disabling the core dump completely. If the info you want to protect
isn't the recipe for coke and worth billions, do NOT do this because
core dumps serve a purpose and should not be disabled.
Disabling paging requires an elevated process, which TSVN is not.

MEM03-CPP. Clear sensitive information stored in returned reusable resources
sure, clearing the info *after you don't need it anymore* is good. But
clearing it while you still need it? And that's what this actually is:
TSVN stores that info as a per-process (i.e., short lived, not written
to disk) auth cache.

> (BTW, "pervasive memory scraping" is the term being used these days -- apparently the SANS Institute identified this as the top threat for this year.  A good Google search will turn up lots of references, and one counter-measure in a defense-in-depth strategy is to ensure in-memory sensitive data is handled appropriately...)

Ok. Now go and please read at lest *some* of those papers.


  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 16:54:18 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.