One effective way for attackers to gain unauthorized access to passwords, credentials, secrets, and other sensitive data is through memory scraping. By analyzing the memory contents of a device (e.g., RAM memory, browser cache, application cache, etc.), malicious entities may discover this information and use it for numerous harmful purposes, including identity theft, impersonation, financial fraud, and more.
Attacks of this type are a significant threat because numerous types of applications use secrets during normal operation. For example, when users of Microsoft Windows™-based machines utilize their Remote Desktop Connection™ (RDC) or Remote Desktop Protocol™ (RDP) client (e.g., the mstsc.exe client) to access remote technical support (e.g., from an administrator), the remote access is provisioned using a credential. Often, this is a powerful credential (e.g., an administrator's credential or root credential) that can provide broad and deep access throughout the client machine itself and also potentially throughout other networked machines. Because this remote access technique involves storing, at least temporarily, the credential in memory of the client machine, the memory of the client machine is a highly vulnerable attack surface. If attackers are able to monitor or access the memory (e.g., RAM or otherwise) of client machines and obtain powerful administrator credentials, the attackers may have immense power to steal, misuse, and misappropriate data, applications, and documents throughout a network environment. Many other thin clients (e.g., PuTTY, SQL*Plus, Independent Computing Architecture, PC-over-IP, etc.), IT management tools (e.g., Windows Command Prompt™, Windows PowerShell™, etc.), and software scripts (e.g., in languages such as Python, Autolt, etc.), use secrets stored in memory for their operation as well, and pose similar threats.
Internet browsers (e.g., Internet Explorer™, Chrome™, Safari™ Firefox™, etc.) pose additional risks for the theft and misuse of sensitive data. For example, browsers can access a plethora of websites that have log-in (e.g., username and password) prompts, such as social media sites, virtual private network (VPN) sites, personal medical or financial sites, and many more. When users interact with such sites, and optionally use add-on password manager software (e.g., password managers built into Chrome™, Internet Explorer™, etc. or third-party password managers), user credentials are often stored in memory. Additionally, not only are browsers used to enter log-in credentials, but they are also used to prompt users to enter personally sensitive data (e.g., medical, financial, social, etc.). This data may also be stored in memory on a client machine and thus vulnerable to scraping or memory dump attacks.
Further, cloud computing resources (e.g., virtual machines, container instances, etc.) often utilize secrets and other sensitive data during their operation. For example, when a container instance is configured to authenticate itself to a backend server, or to access data from a secure database, a credential or token is often required. Nevertheless, cloud computing systems do not automatically wipe memory utilized by virtual instances. Instead, the virtual instances are processes within an operating system, and the temporary memory utilized by the virtual instances is often preserved throughout the existence of the instance and potentially even longer. Accordingly, this temporary memory is also an attack surface.
There are no effective techniques available to control the exposure of sensitive data and secrets in local memory on computing devices. Indeed, there are many technological hurdles that make effective solutions difficult to achieve.
For example, many applications are designed to store credentials and other sensitive data in clear-text in local memory (e.g., RAM or otherwise). Applications of this type range from browsers, to specific-purpose applications (e.g., social media or business applications), to password manager applications, and more. For these applications, the existence of secrets and other sensitive data in local memory is a security threat.
Many of these applications are not designed to effectively or easily wipe the memory of secrets and other sensitive data. Often, it is up to a developer's particular implementation to implement memory wiping, and thus the process is susceptible to errors and oversights. For example, in C++ the developer may need to call the SecureZeroMemory( . . . ) WinAPI function with respect to a secrets buffer. In C #, a developer may need to use the SecureString object in order to wipe memory. These techniques are thus incomplete and difficult to fully implement.
These difficulties are compounded by the fact that many programming languages do not provide a mechanism for wiping memory. For example, in Python, string objects are not changeable after they are created. Thus, even if a string associated with a password is deleted, there would likely be other instances of the password associated with other string operations. Similarly, in Autolt, passwords and other credentials cannot be completely encrypted and protected from access. Attackers can decompile Autolt code and fetch credentials from memory even if encryption is used. Accordingly, in these languages it is very difficult if not impossible to ensure the protection of credentials and other sensitive data that is stored in local memory. Similarly, many types of third-party software that organizations and individuals use may not have a way to comprehensively or accurately wipe memory of passwords or other data. For third-party software, organizations and individuals lack access to the software itself and thus cannot attempt to remedy these problems.
When secrets and other sensitive data are not wiped from memory when a process or application terminates, they may reside in memory for a potentially lengthy period of time. Some operating systems (e.g., Windows™) do not automatically clear memory of credentials and other data when processes terminate, and thus these sensitive elements of data may remain in memory indefinitely. This prolongs the existence of the memory as an attack surface and extends the vulnerabilities of memory-based attacks. Attack tools such as Mimikatz and others may then be used to steal credentials and other data from memory.
Accordingly, in view of these and other deficiencies in existing techniques for managing credentials and other sensitive data, technological improvements are needed in order to more securely, comprehensively, and adaptively identify and control such data. Improvements and solutions to these and other technological problems are discussed in detail below.