Programming Forums - View Single Post

Rory · Nov 15th, 2005, 1:31 PM

Bear in mind that if this is actually going in for real life use, and is protecting sensitive information, it could be trivially defeated.

If you actually designing this for a public system or something and want this to be secure in any way or robust enough for public exposure, you firstly need to authenticate by comparing hashes rather than values directly (you are opening yourself to memory inspection and disassembly attacks).

Also protect the variable address using the RTL Api (VarPtr) and call SecureZeroMemoryW on it when you are finished (under Windows), as the garbage collection in VB6 is notoriously bad and sometimes doesn't happen. Consult the NTLM reference on MSDN, as it has good documentation on general memory sanitization in VB6.

Alternatively use a language that deals with memory properly, or use an purpose built external authentication system.

Nov 15th, 2005, 1:31 PM	#4
Rory Expert Programmer Join Date: Jan 2005 Location: London Posts: 542 Rep Power: 4	Bear in mind that if this is actually going in for real life use, and is protecting sensitive information, it could be trivially defeated. If you actually designing this for a public system or something and want this to be secure in any way or robust enough for public exposure, you firstly need to authenticate by comparing hashes rather than values directly (you are opening yourself to memory inspection and disassembly attacks). Also protect the variable address using the RTL Api (VarPtr) and call SecureZeroMemoryW on it when you are finished (under Windows), as the garbage collection in VB6 is notoriously bad and sometimes doesn't happen. Consult the NTLM reference on MSDN, as it has good documentation on general memory sanitization in VB6. Alternatively use a language that deals with memory properly, or use an purpose built external authentication system.