This blog has been moved to Redwerb.com.

Friday, November 17, 2006

Securing Text Data

Perhaps it's just me, but trying to figure out how to secure text data is confusing. Based on all of the articles available, if you are creating an application that uses passwords or other sensitive information, you should use a SecureString, that much is clear. However, a SecureString isn't very useful since it is encrypted (you can't compare a SecureString against a database value, pass it to your credit card processing, etc).


After many hours of research, I was able to find a single example of how to secure text in an MSDN article (of course, it's only mentioned in passing). How to encrypt and decrypt a file by using Visual Basic .NET or Visual Basic 2005 contains a reference to the ZeroMemory API that allows you to clear a string from memory and GCHandle to make sure you don't end up with a bunch of copies of the string.


The following code will create a string, pin it in memory using GCHandle (to make sure it doesn't get moved or have multiple copies made), then destroy the contents of the string so that it can't be held in memory.


    Sub Main()
Dim str As String = "HI"
Dim gh As GCHandle = GCHandle.Alloc(str)
Console.WriteLine(str)
ZeroMemory(str, str.Length * 2)
gh.Free()
Console.WriteLine(str)
End Sub

Private Declare Sub ZeroMemory Lib "kernel32.dll" _
Alias "RtlZeroMemory" _
(ByVal Destination As String, _
ByVal Length As Integer)



The idea behind this is to leave the text in memory for a very short period of time to make it very difficult for a hacker to get. The sensitive text can be stored in a SecureString until you are ready to use it.


Before I found the ZeroMemory solution, I had written another one that I'm going to post here just because it seems interesting. Basically, I use reflection to call a method on System.String that is intended to be used by StringBuilder that will replace a char without making a copy of the string (typically Strings are immutable, any changes to it result in a copy of the string).



    Public Shared Sub DestroyString(ByVal str As String)
Dim mi As MethodInfo
mi = GetType(String).GetMethod( _
"ReplaceCharInPlace", _
BindingFlags.NonPublic _
Or BindingFlags.Instance)

For i As Integer = 0 To str.Length - 1
Dim ch As Char = str(i)
Dim args() As Object
args = New Object() {ch, ChrW(0), i, 1, 0}
mi.Invoke(str, args)
Next
End Sub

I am currently working on another article for Code Project on securing text data, complete with a PasswordBox WinForm control, SecurePassword class, and more. Once it is available, I will post a link to it here.

Saturday, November 11, 2006

Event-Based Asynchronous WebRequest

I've created my first Code Project article! I was looking for a place to upload some code so I could share it from my blog, but the only place that I could find was Code Project, of course that meant that I had to write an article too.

If you are interested in reading about using the WebRequest/WebResponse classes (including processing of the response stream) or implementing the Event-Based Asynchronous Pattern (the pattern used by the BackgroundWorker component), you can read my article at Event-Based Asynchronous WebRequest.

The article includes a project that contains a BackgroundWebRequest component that can be used to perform asynchronous web requests from a WinForm application.

Friday, November 10, 2006

The Holy Grail of .Net Threading

The Epiphany

I was working on a project that needed to be able to process a WebRequest/WebResponse from a thread within a WinForm application. I tried several approaches, including using a BackgroundWorker, however, what I really wanted to do was create my own component similar to the BackgroundWorker, but specifically for WebRequests. Unfortunately, I didn't know how they did it.

As I was driving home from work I had an epiphany. The obvious solution would be to use Reflector for .NET to figure out how Microsoft did it.

Meeting Up With Sir Galahad

I opened the class up in Reflector and used the File Disassembler (an add-in to Reflector) to output it as a VB class. I waded through the code trying to understand what it did when I found the first hint as to the location of the Holy Grail, the AsyncOperation class.

This class looked important in the threading for BackgroundWorker, so I looked up the documentation for it. In the first sentence of the remarks, it contained a link to the Holy Grail.

The Holy Grail of .Net Threading

The Event-based Asynchronous Pattern is a design pattern that is useful for creating a class that can run operations on a separate thread, but will raise events on the main thread (very useful for threading in WinForms).

MSDN has a series of articles that clearly describe this pattern and how to implement it. The Asynchronous Programming Design Patterns node in the MSDN documentation discusses several different asynchronous patterns that you can use.

Wednesday, November 08, 2006

ClickOnce Deployment Rocks!

Just recently I configured an internal tool I'm working on to use ClickOnce deployment. It is the first time I've used it and I have to say that it certainly lives up to it's name.

At least for a small, simple application like the one I've been working on, all you have to do is open up the project properties and push the "Publish Now" button under the Publish tab (VB.Net anyway).

It automatically generates a webpage that other people can use to install the application and, if the application is updated, it will automatically reinstall the next time the user opens it.

For the app I was working on, the most difficult thing to figure out was how to include some assemblies I was referencing from the GAC. To do this, open the project properties, go to the Publish tab, open Application Files, and change the Publish Status to Include. When somebody installs the application, the assemblies are automatically copied locally (they are not installed to the GAC).

If you are interested in where the files are installed on the users machine, it appears they are placed in C:\Documents and Settings\<user>\Local Settings\Apps\2.0\. The application will be in a directory with a randomly generated name.

Monday, November 06, 2006

Book Review - Engineering Your Start-up

Book: Engineering Your Start-Up: A Guide for the High-Tech Entrepreneur

Author: James A. Swanson, Michael L. Baird

Rating: Recommended

Review: This book is focused on financing a high-tech startup. Although I recommend the self-funded approach, it's important to know the ins and outs of financing so that when you want to grow your self-funded company, you haven't made any major mistakes that will make that more difficult than it already is.

This book is a bit dry and technically challenging (at least for non-finance people). However, the authors do a decent job of defining the jargon used in the industry.

A few of the gold nuggets in the book...

  • Ch 6, Startup Financing Terminology and Stages - This includes some of the most basic terminology that a entrepreneur should know to keep from looking too foolish :).
  • Ch 8, Evaluate Markets and Target Customers - Reinforces the arguments for a small (but potentially profitable), niche market and discusses ways to analyze the market to make sure that you can succeed (at least increase your chances).
  • Ch 20, The Legal Form of Your Startup - Definitions for all of the basic types of organizations (Class C, Class S, Partnerships, etc).
  • Ch 21, Making the Startup Decision - Things you need to consider when starting a business, especially while still working for another company.