ABSTRACT
Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.
- Alex Caelus. 2014 (accessed May 1, 2019). SecureString.cpp. https://github.com/alex-caelus/SecureString/blob/master/SecureString.cppGoogle Scholar
- Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. 2016. Shreds: Fine-grained execution units with private memory. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 56--71.Google ScholarCross Ref
- Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal De Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting data on smartphones and tablets from memory attacks. In ACM SIGPLAN Notices, Vol. 50. ACM, 177--189.Google ScholarDigital Library
- Sherri Davidoff. 2008. Cleartext passwords in linux memory. Massachusetts institute of technology (2008), 1--13.Google Scholar
- Yevgeniy Dodis and Joel Spencer. 2002. On the (non) universality of the one-time pad. In The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings. IEEE, 376--385.Google ScholarCross Ref
- Mark E Donaldson. 2002. Inside the buffer overflow attack: mechanism, method, & prevention. GSEC Version 1, 3 (2002), 5.Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The matter of heartbleed. In Proceedings of the 2014 conference on internet measurement conference. ACM, 475--488.Google ScholarDigital Library
- European Union Agency for Cybersecurity (ENISA). 2014 (accessed May 1, 2019). Algorithms, key size and parameters Report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014Google Scholar
- Evolveum. 2019 (accessed May 1, 2019). GuardedString.java. https://github.com/Evolveum/openicf/blob/master/framework/java/connectorframework/src/main/java/org/identityconnectors/common/security/GuardedString.javaGoogle Scholar
- Günter Fahrnberger. 2016. A detailed view on securestring 3.0. In Advances in Computing Applications. Springer, 97--121.Google Scholar
- Li Gong and Roland Schemers. 1998. Signing, Sealing, and Guarding Java Objects. In Mobile Agents and Security. Springer, 206--216.Google Scholar
- Le Guan, Jingqiang Lin, Bo Luo, Jiwu Jing, and Jing Wang. 2015. Protecting private keys against memory disclosure attacks using hardware transactional memory. In 2015 IEEE Symposium on Security and Privacy. IEEE, 3--19.Google ScholarDigital Library
- Stavroula Karayianni and Vasilios Katos. 2011. Practical password harvesting from volatile memory. In Global Security, Safety and Sustainability & e-Democracy. Springer, 17--22.Google Scholar
- Microsoft. 2019 (accessed May 1, 2019). SecureString.cs from .NET Framework 4.8. https://referencesource.microsoft.com/{#}mscorlib/System/security/securestring.csGoogle Scholar
- Adrian Perrig and Dawn Song. 1999. Hash visualization: A new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce. 131--138.Google Scholar
- Security Standards Council. 2018 (accessed May 1, 2019). Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org/document{_}library?category=pcidss{&}document=pci{_}dssGoogle Scholar
- Arun Viswanathan and BC Neuman. 2009. A survey of isolation techniques. Information Sciences Institute, University of Southern California (2009).Google Scholar
- Qiang Zeng, Mingyi Zhao, and Peng Liu. 2015. Heaptherapy: An efficient end-to-end solution against heap buffer overflows. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 485--496.Google ScholarDigital Library
Index Terms
- A Secure String Class Compliant with PCI DSS
Recommendations
Privacy Preserving in Data Mining Using Hybrid Approach
CICN '12: Proceedings of the 2012 Fourth International Conference on Computational Intelligence and Communication NetworksData sharing between two organizations is common in many application areas like business planning or marketing. When data are to be shared between parties, there could be some sensitive data which should not be disclosed to the other parties. Also ...
Privacy-Preserving Mechanism for Monitoring Sensitive Data
ITNG '15: Proceedings of the 2015 12th International Conference on Information Technology - New GenerationsThe warranty of privacy of a person's data is understood as the capacity of managing, altering, restricting or publishing for a group of individuals chosen by the person. The shared data can be sensitive revealing something private, which deserves ...
The unbearable lightness of consent: mapping MOOC providers' response to consent
L@S '18: Proceedings of the Fifth Annual ACM Conference on Learning at ScaleWhile many strategies for protecting personal privacy have relied on regulatory frameworks, consent and anonymizing data, such approaches are not always effective. Frameworks and Terms and Conditions often lag user behaviour and advances in technology ...
Comments