I’d like to be able to pass a SecureString (a cached passphrase) to a child process in C# (.Net 3.5), but I don’t know what the most secure way is to do it. If I were to convert the SecureString back to a regular string and pass it as a command-line argument, for example, then I think the value may be prone to disk paging–which would make the plaintext touch the filesystem and ruin the point of using SecureString.
Can the IntPtr for the SecureString be passed instead? Could I use a named pipe without increasing the risk?
In general you should define your threat model before worrying about more exotic attacks. In this case: are you worried that somebody shuts down the computer and does a forensic analysis of the harddrive? Application memory can also be swapped out, so the simple fact that one process has it in memory, makes it potentially possible for it to end in the swap file. What about hibernation? During hibernation the entire content of the memory is written to the harddisk (including the SecureString – and presumably the encryption key!). What if the attacker has access to the system while it’s running and can search through the memory of applications?
In general client side security is very tricky and unless you have dedicated hardware (like a TPM chip) it is almost impossible to get right. Two solutions would be: