Securing Sensitive Information
Do not hardcode secrets such as passwords, usernames, tokens, private keys or similar variants into firmware release images. This also includes the storage of sensitive data that is written to disk. If hardware security element (SE) or Trusted Execution Environment (TEE) is available, it is recommended to utilize such features for storing sensitive data. Otherwise, use of strong cryptography should be evaluated to protect the data.
If possible, all sensitive data in clear-text should be ephemeral by nature and reside in a volatile memory only.
Noncompliant Hardcoded Password Example:
Noncompliant Storing sensitive data to disk Example:
In this noncompliant code example, sensitive information is supposedly stored in the dynamically allocated buffer, secret, which is processed and eventually cleared by a call to memset_s()
. The memory page containing secret can be swapped out to disk. If the program crashes before the call to memset_s()
completes, the information stored in secret may be stored in the core dump.
To prevent the information from being written to a core dump, the size of core dumps that the program will generate should be set to 0 using setrlimit()
:
Alternatively, the use of mlock()
can be used to prevent paging by locking memory in place. This compliant solution not only disables the creation of core files but also ensures that the buffer is not swapped to hard disk:
Storing Sensitive Data, Noncompliant Example: In this example, sensitive information stored in the dynamically allocated memory referenced by secret is copied to the dynamically allocated buffer, new_secret
, which is processed and eventually deallocated by a call to free()
. Because the memory is not cleared, it may be reallocated to another section of the program where the information stored in new_secret
may be unintentionally leaked.
Storing Sensitive Data, Compliant Example: To prevent information leakage, dynamic memory containing sensitive information should be sanitized before being freed. Sanitization is commonly accomplished by clearing the allocated space (that is, filling the space with '\0' characters).
Considerations:
Do not hardcode certificates across product lines.
Do not hardcode passwords across product lines.
Do not store secrets in an unprotected storage location or external storage including within an EEPROM or flash.
Additional References
Last updated