1

I’m using the Azure SDK to connect to Service Bus with a ClientSecretCredential:

var credential = new ClientSecretCredential(
    tenantId,
    clientId,
    clientSecret);

var client = new ServiceBusClient(serviceBusNamespace, credential);

The problem is that the clientSecret is stored as a plain string in memory for the lifetime of the ClientSecretCredential object. In long-running processes, this could make the secret vulnerable to memory-dump attacks.

I’m looking for best practices to reduce memory exposure in this scenario. Specifically:

  1. Is there a way to use SecureString or some other in-memory protection with ClientSecretCredential?

  2. Are there recommended patterns when Managed Identity is not an option (e.g., cross-tenant scenarios)?

I want to minimise the risk of exposing client secrets in memory without breaking the SDK usage.

Improve this question
2
  • 1
    No - you cannot change how ClientSecretCredential works (it accepts and stores the client secret as you stated). According to MS "best practices", In most cases, you should use DefaultAzureCredential instead of ClientSecretCredential. DefaultAzureCredential automatically determines the appropriate authentication method based on the environment (e.g., Managed Identity on Azure, user login for local development). It avoids the need to manage secrets entirely when running in Azure. Commented Aug 28 at 13:42
  • 1
    "Important: We recommend that you don't use the SecureString class for new development on .NET (Core) or when you migrate existing code to .NET (Core)." learn.microsoft.com/en-us/dotnet/fundamentals/runtime-libraries/… It's basically pointless, because anyone who can read your memory can probably get around SecureString restrictions anyway. Prevent anyone getting access to your memory in the first place, once they are that far it's game over. Putting it another way, if they can access memory they can do whatever you're doing to get the secret. Commented Aug 28 at 14:03

1 Answer 1

Reset to default
1
  1. Is there a way to use SecureString or some other in-memory protection with ClientSecretCredential?

No. You could use ClientCertificateCredential instead to utilize a certificate. But in that case too I believe that an attacker capable of reading your app's memory could also access the private key.

  1. Are there recommended patterns when Managed Identity is not an option (e.g., cross-tenant scenarios)?

See above for ClientCertificateCredential. The main advantage of it is that the private key is not sent over the network. With ClientSecretCredential, the secret is sent over the network every time (encrypted connection but still).

Do you run this application in an untrusted environment? Like for example a SaaS application deployed to a customer's infrastructure? In a case like that, you'll have to ensure the credentials that you deploy don't give the customer any more access than what they would have through the app.

If possible, require the user to log in as well. This way the secret alone would not be useful, as a user account would be needed for access. It is also possible to have a "bootstrapping" process where a user must log in when setting up the app. Then a refresh token is used periodically to keep the session alive. This does have the risk of the refresh token no longer working due to various reasons, requiring the user to sign in again (for example OneDrive on Windows might prompt you for authentication after a password change, this is due to the refresh token no longer working).

Also, if the attacker has access to the server, Managed Identity is also compromised in this scenario. MI is used through an HTTP endpoint accessible from the server. There is nothing stopping the attacker from making a request to this endpoint from within the server if they gain access.

I'd recommend that you sit down and consider the scenario in which a memory dump attack could happen. Then think how you can mitigate it/make it harder to pull off. For example, limit user/network access to the server. And how could you detect it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Additionally, in case the code is running on Azure VM you could use [Azure Confidential VMs](learn.microsoft.com/en-us/azure/confidential-computing/… which will protect your code from memory dump.
I'm using a private application running as a Windows service within a commercial private cloud environment. I just discovered the secret was exposed when triaging something, and wondered if there was a way to protect it entirely. I am disposing of the object relatively quickly, which seems to drop it from memory, but there is still a risk of it appearing. I do take the point about limiting access to the machine, and the bigger worries if an attacker has access, just wondered if there was a way to protect it entirely.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.