The Danger Of Storing Data In Clear Text In Main Memory

The storage of clear text data in main memory is a cybersecurity concern. A malware application in the user’s device can read its contents and exploit the data. A serious concern is regarding passwords and other sensitive data that a user has temporarily stored in memory, that is not in an encrypted format.

There is no one easy fix to this problem, but there are ways to address this concern. Developers can follow strict guidelines for data encryption, but once it is decrypted and loaded into main memory it is in clear text. A type of malware program or spyware may be able to read its contents.

The application developer must make sure that the data is cleared from memory once the app is closed or when the user has already viewed the information. Otherwise it will be accessible even to other applications which can read the data much like how the clipboard is viewed.

Background

The Random Access Memory (RAM), physical memory or main memory of a device is where data is temporarily stored for processing. It is placed there for faster access to data that is being displayed for output, or for operations with input. The security risk is that the data is in unencrypted clear text. Other than user privilege and file permissions, the operating system does not have a security layer for securing main memory at all times.

The actual contents of main memory can be dumped to a file and saved. This is what malicious apps can do in order to obtain private data. These are called memory dump files, and they can dump the entire content of the main memory to be analyzed by another application. A brief introduction to computer organization can help to better understand this.

Computer Architecture

The CPU in the device provides privilege levels. The operating system’s kernel runs at the highest privilege level akin to the root user. Applications run at lower privilege levels. They are processes which are allocated a segment in main memory. The kernel can prevent each process from reading or writing to each other’s memory space. Applications are allocated RAM by pages (4 or 8 kilobytes) from the kernel. When a process tries to access a page belonging to another process, it is blocked by the kernel and this leads to a GPF (General Protection Fault).

Main Memory

When data is written into main memory, it can be accessed by a process that is allowed by the kernel. In most operating systems, this is through privileged execution. As long as the account that is logged into the computer is an admin or has admin rights (privileges), the application can access the page in memory and read and/or write data. Legitimate applications work fine using this setup. However, viruses and malware can also run under the user’s account. If the systems admin removed admin rights from the user account, the malicious application won’t be able to write to memory. They may still be able to read the data though, and this has been a drawback in thwarting all attempts at securing contents in memory.

Exploits

There are tools that can dump the contents of main memory to a file. In computer forensics, it is used mainly to get data like passwords, in order to access user accounts like login, e-mail and other types of data that is used to authenticate or verify a user. Identity applications that store personally identifiable information in memory can be vulnerable to malicious applications that exploit this security issue.

There are tools like mimikatz that exploit this particular flaw. While mimikatz was meant for ethical hacking, there are more nefarious tools that are used for hacking that target users using social engineering methods like phishing, e-mail links and even apps available for download. The most vulnerable to these attacks are mobile users who install them on their smartphones. Once a user has a malware installed, it can do plenty of harm to the user privacy and security.

RAM scraping is one of the more common exploits that malicious applications use. The malware will attempt to read all the pages in memory to gather interesting data. Since most of the data is in clear text and not encrypted, it can be easily read. Even if the data is encrypted, when a user process decrypts that data, it will be written back to main memory in its clear form. That gives an opportunity for malware to read the contents of that data.

Memory-resident malware are one of the most serious and persistent threats. There are a type of malicious software that writes itself directly onto a computer’s system memory. That means that even after rebooting the device, the malware remains in the system. It can load itself as a process in memory via registry entries, WMI triggered events and background intelligent transfer service (BITS) tasks.

Mitigation

There is no 100% solution available to prevent access to clear text in memory. It would require a new hardware architecture, but for most devices there is no totally secure way to prevent data from being read. While the operating system kernel is supposed to protect data in memory, if the process is privileged it can read/write to memory. Malware and spyware take advantage of privileged access to exploit this security issue, and there is no fool proof defense against it unless there is a modification in system architecture.

Perhaps the best mitigation measure is beyond the app. It should really be the responsibility of the user to have an antivirus program or computer security application installed to prevent, detect and block malware and other spyware applications.

From an application development perspective, here are recommendations:

  • Have developers clear the memory location of sensitive data to prevent persistent attacks to main memory.
  • While the data is loaded into the device’s main memory to display to a screen, there is still a window of time for a malicious process to access the memory location. Developers can make sure that the memory location cannot be accessed by other applications. If another process attempts to read or write to the memory location, the app can warn the user and shut the application to prevent the malware from accessing any information.
  • Use a trusted execution function, but this requires hardware that supports it. This allows developers to write sensitive data to a protected portion of memory that no other process can read or write to. This is a more advanced technique, but is highly secure.
  • Encrypt data always when necessary. Encrypted data in memory, even when it is read, will require decryption. Most malware cannot do it on the fly, so that makes it more difficult to get the data.

Encryption

Data encryption is the best way of protecting data in memory. With the use of a key encryption technique, malware or other persistent software threats residing in a user’s computer will not be able to directly read the data. For example if you have the following password:

l3tsEncryptN0w

It will appear as is in clear text in its memory storage location. If a malware app is able to snoop this memory address and read its contents, it exposes the user to further threats.

When encryption is applied (RSA 1024), the password will appear as:

Sd2ajziW+3tq3Q2JcND2oDBN9MfBKitKwz6PGAwZK1YwIxXoT14BWr+e3vGfeNHUO4AidwrmAsr8lrw958LXkmnupHvZbyPssLDILjNL6d2sx4ovbJ/squvqWnDCMcWKuBifVzLDsGkpY7qyiiyrC1OFqMKtmPBY2xjKxV8YaLo=

This makes it less likely that the data will get compromised and at the same time provides a layer of security to protect private data.

Conclusion

It is not the application developers actual responsibility to protect data in main memory. That is the operating system’s job. It still remains a problem for both operating system and device vendors because of the existing architecture. There is no other security layer other than what the device is built upon. In that case, users will need to protect their devices using computer security products, which application developers are not responsible for. The best method is to adopt the best practices used in developing applications on various devices. The application should be developed to prevent ways malware can access data. The more ways there are to mitigate the problem, the better security provided to users.

Further References:

CWE-316: Cleartext Storage of Sensitive Information in Memory
https://cwe.mitre.org/data/definitions/316.html

CWE-922: Insecure Storage of Sensitive Information
https://cwe.mitre.org/data/definitions/922.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vincent Tabora

Vincent Tabora

Editor HD-PRO, DevOps Trusterras (Cybersecurity, Blockchain, Software Development, Engineering, Photography, Technology)