A Secure String Class Compliant with PCI DSS
Article No.: 17, Pages 1 - 5
Abstract
Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.
References
[1]
Alex Caelus. 2014 (accessed May 1, 2019). SecureString.cpp. https://github.com/alex-caelus/SecureString/blob/master/SecureString.cpp
[2]
Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. 2016. Shreds: Fine-grained execution units with private memory. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 56--71.
[3]
Patrick Colp, Jiawen Zhang, James Gleeson, Sahil Suneja, Eyal De Lara, Himanshu Raj, Stefan Saroiu, and Alec Wolman. 2015. Protecting data on smartphones and tablets from memory attacks. In ACM SIGPLAN Notices, Vol. 50. ACM, 177--189.
[4]
Sherri Davidoff. 2008. Cleartext passwords in linux memory. Massachusetts institute of technology (2008), 1--13.
[5]
Yevgeniy Dodis and Joel Spencer. 2002. On the (non) universality of the one-time pad. In The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings. IEEE, 376--385.
[6]
Mark E Donaldson. 2002. Inside the buffer overflow attack: mechanism, method, & prevention. GSEC Version 1, 3 (2002), 5.
[7]
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The matter of heartbleed. In Proceedings of the 2014 conference on internet measurement conference. ACM, 475--488.
[8]
European Union Agency for Cybersecurity (ENISA). 2014 (accessed May 1, 2019). Algorithms, key size and parameters Report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
[9]
Evolveum. 2019 (accessed May 1, 2019). GuardedString.java. https://github.com/Evolveum/openicf/blob/master/framework/java/connectorframework/src/main/java/org/identityconnectors/common/security/GuardedString.java
[10]
Günter Fahrnberger. 2016. A detailed view on securestring 3.0. In Advances in Computing Applications. Springer, 97--121.
[11]
Li Gong and Roland Schemers. 1998. Signing, Sealing, and Guarding Java Objects. In Mobile Agents and Security. Springer, 206--216.
[12]
Le Guan, Jingqiang Lin, Bo Luo, Jiwu Jing, and Jing Wang. 2015. Protecting private keys against memory disclosure attacks using hardware transactional memory. In 2015 IEEE Symposium on Security and Privacy. IEEE, 3--19.
[13]
Stavroula Karayianni and Vasilios Katos. 2011. Practical password harvesting from volatile memory. In Global Security, Safety and Sustainability & e-Democracy. Springer, 17--22.
[14]
Microsoft. 2019 (accessed May 1, 2019). SecureString.cs from .NET Framework 4.8. https://referencesource.microsoft.com/{#}mscorlib/System/security/securestring.cs
[15]
Adrian Perrig and Dawn Song. 1999. Hash visualization: A new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce. 131--138.
[16]
Security Standards Council. 2018 (accessed May 1, 2019). Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org/document{_}library?category=pcidss{&}document=pci{_}dss
[17]
Arun Viswanathan and BC Neuman. 2009. A survey of isolation techniques. Information Sciences Institute, University of Southern California (2009).
[18]
Qiang Zeng, Mingyi Zhao, and Peng Liu. 2015. Heaptherapy: An efficient end-to-end solution against heap buffer overflows. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 485--496.
Index Terms
- A Secure String Class Compliant with PCI DSS
Recommendations
Privacy Preserving in Data Mining Using Hybrid Approach
CICN '12: Proceedings of the 2012 Fourth International Conference on Computational Intelligence and Communication NetworksData sharing between two organizations is common in many application areas like business planning or marketing. When data are to be shared between parties, there could be some sensitive data which should not be disclosed to the other parties. Also ...
Privacy-Preserving Mechanism for Monitoring Sensitive Data
ITNG '15: Proceedings of the 2015 12th International Conference on Information Technology - New GenerationsThe warranty of privacy of a person's data is understood as the capacity of managing, altering, restricting or publishing for a group of individuals chosen by the person. The shared data can be sensitive revealing something private, which deserves ...
The unbearable lightness of consent: mapping MOOC providers' response to consent
L@S '18: Proceedings of the Fifth Annual ACM Conference on Learning at ScaleWhile many strategies for protecting personal privacy have relied on regulatory frameworks, consent and anonymizing data, such approaches are not always effective. Frameworks and Terms and Conditions often lag user behaviour and advances in technology ...
Comments
Information & Contributors
Information
Published In
November 2019
134 pages
ISBN:9781450372961
DOI:10.1145/3360664
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
In-Cooperation
- University of Maribor
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 14 November 2019
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Agentúra na Podporu Vðskumu a Vðvoja
- Faculty of Science, Pavol Jozef Safarik University
Conference
CECC 2019
Acceptance Rates
CECC 2019 Paper Acceptance Rate 19 of 35 submissions, 54%;
Overall Acceptance Rate 38 of 65 submissions, 58%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 133Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)1
Reflects downloads up to 13 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in