Zeroization of sensitive data in byte stream

jafontjafont Member Juan Angel Font BanegasOrganization: University of Castilla la ManchaProject: Practices for subject in Master in Computer Science

Hi,

I am using ICE for C++, and I have a question about the following issue:

According to secure coding standards, the memory buffers where sensitive data is allocated (e.g. user passwords) has to be zeroized (cleared) as soon as the data is not needed.

Sensitive data can be received as an input parameter to an operation, or can be returned as an output parameter.
Zeroization of input parameters is easy because the server can zeroize the data after the processing. Zeroization of output parameters is a little more complex, because they are last used by the code generated by slice2cpp. What I have done is to return sensitive data wrapped in an object of a class whose destructor zeroizes the data.

However, my concern is about the stream of bytes used internally by ICE. As far as I know, the input byte stream is decoding to create the input parameters of operations. Similarly, output parameters are encoded in a byte stream before sending it to the client. Therefore, such byte stream may contain sensitive information. My question is:

How can I zeroize those byte streams?

Kind regards,
Juan

Tagged:

Best Answers

  • joegeorgejoegeorge Jupiter, FloridaJoe GeorgeOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    edited June 2016 Accepted Answer

    Hi Juan,

    Unfortunately we do not offer API access to these streams or a way zero them. We will look into adding this in a future release.

    That being said you should be able to use the ["cpp:array"] metadata directive to obtain direct access to your client and server the input streams (this will not work on output streams). See our documentation on the array mapping for sequence parameters for C++.

    You would use a sequence of bytes to store your sensitive data:

    // Slice
    void foo(["cpp:array"] Ice::ByteSeq sensitiveData)
    

    Your foo method on the proxy would have the signature:

    void write(const std::pair<const Ice::Byte*, const Ice::Byte*>& contents);
    

    Similarly the server will have:

    virtual void foo(const ::std::pair<const ::Ice::Byte*, const ::Ice::Byte*>& contents,
                     const ::Ice::Current& = ::Ice::Current()) = 0;
    

    The pointers in contents point directly into Ice's input stream (start and one element past the end). In your implementation you will need to copy the data from contents, then you should be able to perform a const_cast on the start pointer and manually zero the stream.

    Again, this will only work on input (receiving) streams.

    Cheers,
    Joe

  • jafontjafont Juan Angel Font BanegasOrganization: University of Castilla la ManchaProject: Practices for subject in Master in Computer Science
    Accepted Answer

    Thank you, Joe.

    Just another question:

    If a declare an output parameter with ["cpp::array"], will the client be able to zero that output parameter when received from the server?

    Regards,
    Juan

Answers

  • joegeorgejoegeorge Jupiter, FloridaAdministrators, ZeroC Staff Joe GeorgeOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    edited June 2016 Accepted Answer

    Hi Juan,

    Unfortunately we do not offer API access to these streams or a way zero them. We will look into adding this in a future release.

    That being said you should be able to use the ["cpp:array"] metadata directive to obtain direct access to your client and server the input streams (this will not work on output streams). See our documentation on the array mapping for sequence parameters for C++.

    You would use a sequence of bytes to store your sensitive data:

    // Slice
    void foo(["cpp:array"] Ice::ByteSeq sensitiveData)
    

    Your foo method on the proxy would have the signature:

    void write(const std::pair<const Ice::Byte*, const Ice::Byte*>& contents);
    

    Similarly the server will have:

    virtual void foo(const ::std::pair<const ::Ice::Byte*, const ::Ice::Byte*>& contents,
                     const ::Ice::Current& = ::Ice::Current()) = 0;
    

    The pointers in contents point directly into Ice's input stream (start and one element past the end). In your implementation you will need to copy the data from contents, then you should be able to perform a const_cast on the start pointer and manually zero the stream.

    Again, this will only work on input (receiving) streams.

    Cheers,
    Joe

  • jafontjafont Member Juan Angel Font BanegasOrganization: University of Castilla la ManchaProject: Practices for subject in Master in Computer Science
    Accepted Answer

    Thank you, Joe.

    Just another question:

    If a declare an output parameter with ["cpp::array"], will the client be able to zero that output parameter when received from the server?

    Regards,
    Juan

Sign In or Register to comment.