How to delete a C# variable value permanently from memory?

Question

I have created a variable in C#. Now I want to clear the variables value from the computer memory. Is there any way to do that?

Below is my current attempt at deleting the value of recordLine, but I can still read the value from memory with DumpIt even though I set the variable to null and call garbage collection.

private void Extract_SLST_VariableLine()
{
      StreamReader file = new StreamReader(FilePath + FileName);
      while (!file.EndOfStream)
      {

            string recordLine = null;
            if ((recordLine = file.ReadLine()).Trim() != string.Empty)
            {
                  console.writeline(recordLine);
            }
            recordLine=null;
            gc.collect();

      }
}

I don't know Garbage collector working or not but the values are retrievabale while using dumpit.exe — Akash Daniel, Jul 04 '19 at 11:23
Similar question for Java: https://security.stackexchange.com/questions/148282/passwords-in-memory-practical-ways-to-improve-security — Anders, Jul 04 '19 at 11:25
@ThoriumBR Rebooting only works if the page containing the data wasn't written to swap space, *or* it was and has subsequently been overwritten *and* the overwrite actually caused the data on the media to be overwritten (SSD wear levelling, I'm looking at you). — user, Jul 04 '19 at 13:31

score 4 · Answer 1 · edited Jun 16 '20 at 09:49

Just setting a string to null or calling the GC will not help here. It might delete the reference to the value, but not the value itself. After GC, it may be overwritten, but there is no guarantee that it will happend anytime soon.

What you need instead is something aking to a SecureString, that implements a Dispose method and some obfuscation. However, the security it provides is limited:

We don't recommend that you use the SecureString class for new development. For more information, see SecureString shouldn't be used on GitHub.

SecureString is a string type that provides a measure of security. It tries to avoid storing potentially sensitive strings in process memory as plain text. (For limitations, however, see the How secure is SecureString? section.)

The problem here is that if there is sufficently advanced malware with sufficiently high priviliges on your system, no secrets are safe no matter what fancy C# types you wrap them in. So I am not sure this is a problem with a solution.

If you do use a secure string, think about how you get the value into and out of it. If it passes through an ordinary string, you have gained absolutely nothing.

The class documentation you linked to includes a warning: "We don't recommend that you use the SecureString class for new development. For more information, see [SecureString shouldn't be used on GitHub](https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md)." — Philipp, Jul 04 '19 at 11:52
@Philipp Ah, thanks. Long time since I worked with C#, apparently technology evolves. See my edit. Thanks again. — Anders, Jul 04 '19 at 12:05

score -1 · Answer 2 · edited Sep 09 '19 at 05:50

-1

C# handles garbage collection automatically, you can call it explicitly with GC.Collect() however it is considered bad practice.

Below is a far more succinct and detailed explanation than I am equipped to give.

Alternatively why not just overwrite the variable with a dummy value? You could use null I guess but you would have to be careful of causing an exception and add in checks accordingly.

Then call GC.Collect() to clear the now unassigned data from memory. Whether that actually work or not I'm not sure.

EDIT: Based on comments below it does not.

See slightly ugly example...

var foo = 'sensitive';
// Your code
foo = null;
// call GC.Collect()

What's so wrong about using GC.Collect()?

GC.Collect() documentation

edited Sep 09 '19 at 05:50

Pang

185
6

answered Jul 04 '19 at 10:54

3therk1ll

149
1
1
11

I tried this but it is not working – Akash Daniel Jul 04 '19 at 10:55
I am using dumpit exe to get memory dump – Akash Daniel Jul 04 '19 at 11:00
it show all the values stored in my variable – Akash Daniel Jul 04 '19 at 11:01
@AkashDaniel Then please post your code, and show how you can read the value after it was supposedly deleted. – Jul 04 '19 at 11:18
1

Setting the variable to null does not overwrite the memory. My guess is that you can't do that with a string (not sure, though). Also, the GC might release the memory so it may be overwritten later, but it does not overwrite it immediately. – Anders Jul 04 '19 at 11:21
That's the idea. Overwrite and call garbage collection. I'll edit to make that more clear – 3therk1ll Jul 04 '19 at 11:23
1

@MechMK1 There is a exe called dumpit , it is used to collect memory dump and generate as txt format. when i search my variable value from it shows all – Akash Daniel Jul 04 '19 at 11:34
2

@RichC Setting to null does not overwrite. Calling GC makes no difference. – Anders Jul 04 '19 at 11:37
I think maybe you're best asking this in Stack Overflow – 3therk1ll Jul 04 '19 at 11:39
@Anders tq for ur support – Akash Daniel Jul 04 '19 at 11:50
@MechMK1 tq for ur support – Akash Daniel Jul 04 '19 at 11:51
1

@RichC tq for ur support – Akash Daniel Jul 04 '19 at 11:51
2

Overwriting doesn't work in C# (e.g. foo = "sensitive"; foo = "masking###"; ) because of the way C# strings are immutable. When you try to modify a string, a new string is allocated. To have some measure of control about where strings are allocated, the P/Invoke and pointers will need to be used, but there will still be holes in this approach. – Ants Jul 05 '19 at 15:02

score -1 · Answer 3 · answered Jul 11 '19 at 15:21

As the variables store the memory on the heap If we assign variable to null it will just change the pointer and access the null reference with out deleting the previous variable it applies to even reassigning the variable also. Using IDisposable interface in C# we can remove the variables details from the memory by calling the garbage collector manually.

The below code will call the Dispose function and collects the all variables from the class and remove.

Public class Process : IDisposable {

private void Extract_SLST_VariableLine()
{
    try
    {
        StreamReader file = new StreamReader(FilePath + FileName);
        while (!file.EndOfStream)
        {

            string recordLine = null;
            if ((recordLine = file.ReadLine()).Trim() != string.Empty)
            {
                console.writeline(recordLine);
            }
            recordLine=null;
        }
    }
    catch()
    {
    }
    finally
    {
        Dispose();
    }
}

}

 public void Dispose()
 {

        GC.Collect();
        GC.SuppressFinalize(this);
 }

For more reference you can find in the follwoing links.. https://docs.microsoft.com/en-us/dotnet/standard/garbage-collection/implementing-dispose

The GC collection doesn't _delete_ the value, it just tells the OS to reuse that area of memory. The value is still there in memory, your code just no longer has any direct handle to it. — Nic, Jul 11 '19 at 15:51
@NicHartley any other way to delete the values from memory permanently ? — anvesh, Jul 15 '19 at 18:00
@NicHartley I have a requirement where I get the credit card number with other details in a json from API call. so I have to store the details in variable. and then I have to read 7th digit of the card number. The top-voted answer doesn't suit to my requirement. Any other solution? — anvesh, Jul 15 '19 at 19:16

How to delete a C# variable value permanently from memory?

3 Answers3