/* goodB2G() - use badsource and goodsink */ public static void GoodB2GSink(CWE314_Cleartext_Storage_in_the_Registry__Environment_67a.Container dataContainer) { string data = dataContainer.containerOne; /* FIX: Hash data before storing in registry */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } using (SecureString secureData = new SecureString()) { for (int i = 0; i < data.Length; i++) { secureData.AppendChar(data[i]); } RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true); key.CreateSubKey("CWEparent"); key = key.OpenSubKey("CWEparent", true); key.CreateSubKey("TestingCWE"); key = key.OpenSubKey("TestingCWE", true); key.SetValue("CWE", secureData); } }
/* goodG2B() - use goodsource and badsink */ public static void GoodG2BSink(CWE314_Cleartext_Storage_in_the_Registry__Environment_67a.Container dataContainer) { string data = dataContainer.containerOne; using (SecureString secureData = new SecureString()) { for (int i = 0; i < data.Length; i++) { secureData.AppendChar(data[i]); } /* POTENTIAL FLAW: Store data directly in registry */ RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true); key.CreateSubKey("CWEparent"); key = key.OpenSubKey("CWEparent", true); key.CreateSubKey("TestingCWE"); key = key.OpenSubKey("TestingCWE", true); key.SetValue("CWE", secureData); } }