This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 12%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Im downloading/reading data from my database with Curl and the following code:
c++
static size_t WriteCallback(void* contents, size_t size, size_t nmemb, void* userp)
{
((std::string*)userp)->append((char*)contents, size * nmemb);
return size * nmemb;
}
void Url(std::string& data, std::string url, std::string mode, std::string json)
{
CURLcode ret;
CURL* curl;
struct curl_slist* slist1;
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L);
if (!json.empty())
{
slist1 = NULL;
slist1 = curl_slist_append(slist1, "Content-Type: application/json");
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json.c_str());
//curl_easy_setopt(curl, CURLOPT_USERAGENT, "curl/7.38.0");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
}
curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, mode.c_str());
curl_easy_setopt(curl, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteCallback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &data);
ret = curl_easy_perform(curl);
curl_easy_cleanup(curl);
curl = NULL;
if (!json.empty())
{
curl_slist_free_all(slist1);
slist1 = NULL;
}
}
// ...
std::string data = "";
Url(data, "", "POST", "{\"key\": \"test\"}")
// ...
SecureZeroMemory(&data, sizeof(data));
When I go to the process which calls the code above and creates a dump file from it, I can find all the data from the Curl call inside of the dump file, is readable even the content of the key sent "test".
This is how it looks in the dump file:
Server: Cowboy
Connection: keep-alive
Vary: Origin
Content-Type: text/plain; charset=utf-8
Content-Length: 43
Date: Thu, 14 Oct 2021 16:14:45 GMT
Via: 1.1 vegur
< the data received >
< the API path > HTTP/1.1
Host: ....herokuapp.com
Accept: */*
Content-Type: application/json
Content-Length: 23
{"key":"test"}
I'm using Heroku and MongoDB, with Curl I'm connecting to the API path in Heroku like :
https://....herokuapp.com/api/...
In the dump file just after the path, there's an HTTP
https://i.imgur.com/UaPin1i.png
As per suggestion I also tried to call for SecureZeroMemory.
But all the info is still readable inside of the dump file, API paths, json keys, content send/received, server name, etc.
c++
static size_t WriteCallback(void* contents, size_t size, size_t nmemb, void* userp)
{
// userp is a pointer to a std::string
// -> cast to std::string* and store in variable for ease of use
std::string* str = reinterpret_cast<std::string*>(userp);
// size of current data
std::size_t bak_size = str->size();
char* bak = new char[bak_size]; // temporary buffer
str->copy(bak, str->size()); // copy current data into temporary buffer
// Zeroes current data
RtlSecureZeroMemory(const_cast<char*>(str->data()), str->size());
// Resize the string (userp), this causes reallocation
// -> the memory must be zeroed before because the old data may still be in memory
// after it is discarded for the string to allocate new blocks
str->resize(str->size() + (size * nmemb));
RtlCopyMemory(const_cast<char*>(str->data()), bak, bak_size); // Copy from temporary buffer into new address
RtlCopyMemory(const_cast<char*>(str->data()) + bak_size, contents, size * nmemb); // Append the new content
// Zeroes and frees the temporary buffer.
RtlSecureZeroMemory(bak, bak_size);
delete[] bak;
bak = nullptr;
//((std::string*)userp)->append((char*)contents, size * nmemb);
//memset(contents, 0, size * nmemb);
// Zeroes the content
RtlSecureZeroMemory(contents, size * nmemb);
return size * nmemb;
}
Would like to ask what I could do to avoid it being so easily readable.
If it's possible somehow to clear it from being stored in the memory.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 12%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
You'll need to use RtlSecureZeroMemory (assuming you're using Windows) to overwrite any memory allocated by the operations. However, that may require internal knowledge of what struct curl_slist constitutes.
Maybe do something like this:
static size_t WriteCallback(void *contents, size_t size, size_t nmemb, void *userp)
{
((std::string*)userp)->append((char*)contents, size * nmemb);
memset(contents, 0, size * nmemb);
return size * nmemb;
}
Also clear the data variable.
Beware that memset should not be used to "secure" memory - the compiler can optimize it away if it sees no necessary effect in what it does. Best to use RtlSecureZeroMemory (aka SecureZeroMemory) instead.
Hello David, i tried both suggestions memset and also clearing the value of the variable data. but the downloaded data from the curl request is still readable from a dump file of the process.
See my initial comment.
If the library doesn't provide any such facility, it might be difficult to achieve yourself.
It appears that the code is appending the data to a string variable. Are you sure that what you see in the dump isn't this appended data versus the addresses used in the download?
I've updated the topic added more info.
@David Lowndes I tried RtlSecureZeroMemory but all the data is still stored inside of the dump file.
Then you're not clearing what you want - and unless the library you're using has provision to operate in such a secure manner, you may find it an impossible task.
Why are you concerned about the data you indicate being left in memory - will anyone have sufficient privileges to get a dump of your process? If something like this is to be secured, one would normally try to restrict access to that machine to prevent it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 98%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIT%3C/text%3E%3C/svg%3E)
I imagine Curl itself allocates internal buffers with plain malloc, then deallocates them with plain free, without bothering to clear their contents first.
If you want to make sure that every byte sent or received is quickly overwritten, you'd probably have to write your own client at the Winsock level. Even then I'd be wondering about buffers inside Winsock itself.
Even before we get to Curl, Url(data, "", "POST", "{\"key\": \"test\"}") call will leave those strings visible in freed heap blocks. You are creating and destroying std::string instances, which would allocate and deallocate memory to store the string contents.