::::::::: PowerShell :::::::::
Saturday, April 01, 2006
  [MSH] Extending System.Security.SecureString
I was reading Monad Technology Blog about Base64 Encode/Decode a string, which deals with extending a .NET object System.String to include script properties (which you can also add in an interactive mode through "add-member -type ScriptProperty" but lasts only during the given session) called "ToBase64String" and "FromBase64String".

Well, to apply the concept, I have decided to extend System.Security.SecureString by creating a new Monad XML type file called "my.types.mshxml"(the name is from Monad Technology blog) at $MshHome(for most of people, it should be "C:\Program Files\Microsoft Command Shell\v1.0") and then extended SecureString to include a script property called UnsecureString.
UnsecureString decodes SecureString's content.

*NOTE: I won't go into details on how you can view SecureString content. If you would like to know how you can view a secure string content and want to find out more about Windows Data Proctection, please refer to following sites
My.Types.Mshxml
<?xml version="1.0" encoding="utf-8" ?>
<Types>
<Type>
<Name>System.Security.SecureString</Name>
<Members>
<ScriptProperty>
<Name>UnsecureString</Name>
<GetScriptBlock>
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this))
</GetScriptBlock>
</ScriptProperty>
</Members>
</Type>
</Types>
Then, as you see in Monad Technology Blog, load the newly created custom type data:
Update-TypeData $MshHome\My.Types.Mshxml

Let's see if System.Security.SecureString has been extended or not
MSH>$admin = get-credential administrator
MSH>($admin.password).getType().fullName
System.Security.SecureString
MSH>$admin.password | get-member -MemberType ScriptProperty | format-list

TypeName : System.Security.SecureString
Name : UnsecureString
MemberType : ScriptProperty
Definition : System.Object UnsecureString {get=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this));}
Now, you can see that SecureString type has been extended with "UnsecureString".
From this point on,
MSH>$admin.password
System.Security.SecureString
MSH>$admin.password.UnsecureString
*** secret ***

where *** secret *** is your decoded password string.


But this raises a couple of questions.
  1. Displaying clear, unsecure string for the credential object is a security threat
  2. I can't answer "IMPORTANT" note posted on Monad Technolog Blog site
    • <IMPORTANT POINT>
      Whenever you are adding some functions, you should make a conscious decision about whether those functions are best exposed as a "function" or as a "type extension".
      </IMPORTANT POINT>

I don't know when extending SecureString would come in handy without causing any security problems.
Will anyone be able to justify the need for extending SecureString to display clear string?
Well it's all up to you whether you would want to or not. (I just like to mess around...)


Tags :
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
Let's get lazy with PowerShell!

Name:
Location: Flushing, NY, United States

Experimenting with a different format of blogs...

Links
ARCHIVES
10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 / 12/01/2005 - 01/01/2006 / 01/01/2006 - 02/01/2006 / 02/01/2006 - 03/01/2006 / 03/01/2006 - 04/01/2006 / 04/01/2006 - 05/01/2006 / 05/01/2006 - 06/01/2006 / 06/01/2006 - 07/01/2006 / 07/01/2006 - 08/01/2006 / 08/01/2006 - 09/01/2006 / 10/01/2006 - 11/01/2006 / 11/01/2006 - 12/01/2006 /


Powered by Blogger