I just answered a question where I said that while string interning is good it can be a security problem since a strings value can be easily accessed later on.
And while I’m quite sure this is true 🙂 I am not sure how easy it really is. I tried googling the topic but I got no relevant results (the google-fu is weak in this one), so then I try you folks on SO.
Do you know of any ‘easy’ way to access the list of intered strings in an app domian? Must I use memory dumps and that stuff or is there a method like AppDomain.GetInteredStringsList()?
And related to that: How easy is it really to get any useful data from intered strings. Is it really a security hole to store sensitive data in strings?
It’s not particularly easy – but it’s doable.
Basically, if you’ve got anything which can take a memory dump, you could find bits of memory which look like they’re string objects. (In particular, they’ll all have the same ‘pointer to type information’ at the start, so if you’ve got a sample string, you’re away.)
By the way, this has little to do with interned strings. It’s not like all strings are interned – only string constants, and strings which the user explicitly interns.