Skip to content

Protect your memory .NET πŸ›‘οΈ Memory protection library for .NET Framework and .NET Core.

License

Notifications You must be signed in to change notification settings

undergroundwires/SafeOrbit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

SafeOrbit - Protect your memory in .NET

NuGet Status Build status contributions welcome

What

SafeOrbit is an advanced memory protection library with easy to use classes.

  • Protects your strings in memory while allowing you to securely compare & modify them with SafeString.
  • Protects your binary data with SafeBytes.
  • Anti injection module safeguards your application against memory injections and timing attacks using SafeObject, SafeContainer (injection aware DI container) and more.
  • Leverages high performance and secure algorithms for encryption, hashing and random in interfaces that makes it much hard to screw up.

Why

  • You want to secure strings in memory and modify & compare them without revealing them in memory.
  • You want to take advantage of security best-practices without having any cryptology knowledge.
  • You want to use high-performance algorithms in .NET such as Murmur32 hashing and Blowfish encryption.
  • You do not trust OS generated crypto randoms and want direct access to entropy hashes or non-OS PNRG seeded by them.

Want to say thanks? 🍺

Hit the ⭐ star ⭐ button

Contribute

Feel free to contribute by joining the coding process or opening issues. Read more on wiki.

License

This project is MIT Licensed. It means that you're free to use SafeOrbit freely in any application, copy, and modify its code.

It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. -Auguste Kerckhoffs

Quick Documentation

Visit wiki for full documentation

Memory security

SafeString (wiki)

  • SafeString represents an encrypted string that guarantees to not leak your data in the memory while allowing modifications and comparisons.
  • It has more advantages over System.Security.SecureString because of the security design of the SafeOrbit.
SecureString SafeString
Supports multiple encodings βœ– βœ”
Safely character insert βœ– βœ”
Safely character remove βœ– βœ”
Safely equals βœ– βœ”
Safely retrieve βœ– βœ”
Reveal only single char βœ– βœ”
Unlimited characters βœ– βœ”
Timing attack protection βœ– βœ”

SafeBytes (wiki)

  • SafeBytes is protected sequence of bytes in memory.
  • It's a lower level module used by SafeString.
  • You can hide any data from the memory, then modify and compare them safely without revealing the bytes.

Detect injections

  • You can detect injections for any of your .NET class including their
    • the state (data in the memory)
    • code that's loaded in memory
  • Internal protection for SafeOrbit library be enabled as default.

SafeObject (wiki)

An object that can detect memory injections to itself.

    var safeObject = new SafeObject<Customer>();
    // Each change to the object's state or code must be using ApplyChanges
    safeObject.ApplyChanges((customer) => customer.SensitiveInfo = "I'm protected!");
    // Retrieve safe data
    var safeInfo = safeObject.Object.SensitiveInfo; // returns "I'm protected!" or alerts if any injection is detected

SafeContainer (wiki)

  • SafeContainer is a dependency container that detects and notifies injections to its instances.
  • It's security mode can be changed dynamically.

InjectionDetector (wiki)

  • A service that's consumed by SafeContainer and SafeObject.
  • Lowest level of the injection detection and alerting mechanism.

Cryptography

Encryption (wiki)

Supported:

  • Asynchronous encryption using cryptostreams.
  • ISafeEncryptor a.k.a. AES-256
    • Considered as one of the strongest encryption algorithms.
    • Easy-to-use interface using best-practices such as PBKDF2 key derivation, random IV, salt and PKCS7 padding.
  • IFastEncryptor a.k.a. Blowfish
    • Considered as one of the fastest encryption algorithms.
    • ECB & CBC (with IV) implementation that passes the vector tests.

Hashers (wiki)

Supported :

  • ISafeHasher a.k.a. SHA512 for higher security.
  • IFastHasher a.k.a. MurmurHash (Murmur32) for better performance, it should be seeded and salted.

Random (wiki)

What if your OS crypto random has in any way been undermined (for example, by a nefarious government agency, or simple incompetence)?

SafeOrbit guarantees not to reduce the strength of your crypto random. It has the ability to improve the strength of your crypto random:

  • SafeRandom combines different entropy sources
  • FastRandom is a simple wrapper around a PRNG, which uses SafeRandom for seed material.

Speed up

  • For better performance, it's highly recommended to start the application early in your application start with SafeOrbitCore.Current.StartEarlyAsync();.

  • Memory injection is enabled as default.

    • It provides self security on client side applications, but on a protected server disabling the memory injection for more performance is recommended. Read more on wiki.