Lunalux.SecBuff 1.0.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package Lunalux.SecBuff --version 1.0.0
                    


                    

                
NuGet\Install-Package Lunalux.SecBuff -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Lunalux.SecBuff" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Lunalux.SecBuff" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Lunalux.SecBuff" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Lunalux.SecBuff --version 1.0.0
                    


                    

                
#r "nuget: Lunalux.SecBuff, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Lunalux.SecBuff@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Lunalux.SecBuff&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Lunalux.SecBuff&version=1.0.0
                    


                            Install as a Cake Tool

SecBuff (Lunalux.SecBuff)

Hardened Memory Management for .NET, Time-bound memory exposure model. Aligned with ISO/IEC 27001 practices.

GitHub License GitHub Actions Workflow Status NuGet Version NuGet Downloads CodeFactor

Overview

SecBuff implements a time-bound memory exposure model for sensitive data in .NET, provides best-effort protection for sensitive data in user-space memory; such as API keys, passwords, and cryptographic material.

By default, .NET types such as string and byte[] are managed by the garbage collector, which introduces several security concerns:

  • Sensitive data may be duplicated in memory due to garbage collector relocation.
  • Memory pages may be swapped to disk, potentially exposing secrets in plaintext.
  • Process memory dumps may reveal sensitive data without restriction.

SecBuff mitigates these risks by operating outside the managed heap and leveraging operating system–level memory protection mechanisms. Guarantees depend on the underlying operating system.

The library is designed to support secure memory handling practices aligned with standards such as ISO/IEC 27001, reduces the likelihood of sensitive data being persisted outside physical memory, subject to OS guarantees.

Key Features

Memory Locking
Prevents sensitive data from being swapped to disk:

  • Windows: VirtualLock
  • POSIX systems: mlock

Memory Protection
Restricts access to protected memory regions when not in use.

  • Windows: VirtualProtect
  • POSIX systems: mprotect

Deterministic Zeroing
Ensures sensitive data is securely wiped from memory after use via CryptographicOperations.

Controlled Access Model
Secrets are only accessible within explicitly defined scopes and remain inaccessible otherwise.

Async Compatibility
Supports safe usage across async / await boundaries. Due to .NET runtime constraints, strict stack-only guarantees (ref struct) cannot be preserved across async boundaries. SecBuff provides AcquireAsync as a controlled alternative.

Threat Model

Protects against:

  • Accidental memory exposure
  • Managed heap inspection
  • Basic memory dumps

Does NOT protect against:

  • Kernel-level attackers
  • Full system compromise
  • Cold boot attacks
  • DMA attacks
  • CPU caches and processor registers may temporarily retain sensitive data. Due to .NET runtime constraints, SecBuff cannot explicitly clear these transient copies.

Quick Start

  1. Secure Input
    Read sensitive input directly into protected memory without creating intermediate managed strings:

    using SecBuff;
using ISecureBuffer password = 
    SecureConsole.ReadSecret("Enter admin password", useMprotect: true);

  2. Secret Management
    Store and access secrets using a controlled access pattern:

    var vault = new SecretManager<string>(logger);

// Store a secret - System.Text.Encoding is not recommended due to GC can copy these strings.
vault.Set("ApiKey", Encoding.UTF8.GetBytes("super-secret-key"), useMprotect: true);

// Access the secret
vault.AccessSecret("ApiKey", span =>
{
    MyApiClient.Initialize(span);
});

    Memory is only readable and writable within the access delegate and is protected immediately afterward through reference-counted access control.

  3. Encrypted Key Files (.sbkf)
    Persist and reuse cryptographic keys securely across application runs:

    // Generate or load a key file
var keyFile = SecureKeyFile.Load("master.sbkf");

// Initialize vault with encryption support
var vault = new SecretManager<string>(logger, keyFile);

// Store encrypted secret
vault.SetSecret("ApiKey", "super-secret-key"u8.ToArray(), useEncryption: true);

// Access (automatically decrypted in a protected buffer)
vault.AccessSecret("ApiKey", span =>
{
    MyApiClient.Initialize(span);
});
    • Uses AES-256-GCM for authenticated encryption.
    • Keys are derived via SecureKeyFile.DeriveKey.
    • Plaintext exists only in protected memory and only during access scope.
    • Encrypted secrets remain protected even if memory is compromised.

Technical Details

Feature Windows POSIX Systems
Memory Locking VirtualLock (Non-deterministic*) mlock _
Protection VirtualProtect mprotect
Alignment Page-aligned Page-aligned
Zeroing CryptographicOperations CryptographicOperations
Swap Defense Requires PageFile Disabled or SECBUFF_ALLOW_PAGEFILE=1 environment variable MCL_FUTURE / mlock

Windows Memory Integrity Problem:

Due to legacy architectural constraints in the Windows NT Kernel, VirtualLock may be silently dropped by the Memory Manager when page protections are transitioned (e.g., to PAGE_NOACCESS). This is a documented limitation of the Windows memory API. Windows does not provide a strict guarantee that locked pages remain resident under all conditions, especially when protection states are modified. To guarantee zero-swap integrity on Windows, System PageFile must be disabled. SecBuff will perform an environment audit and throw a SecurityException if an insecure configuration is detected. By enabling SECBUFF_ALLOW_PAGEFILE=1, you explicitly accept that secrets may be paged to disk.

No Managed Strings
Sensitive data is never stored as managed type. All APIs operate on Span<byte> or unmanaged memory.

Scoped Access
Secrets are exposed only within controlled execution scopes (e.g., using blocks).

Deterministic Cleanup
Memory is explicitly cleared on disposal. Finalizers act as a fallback if Dispose is not invoked.

Stack-Constrained Access
ref struct patterns are used where appropriate to prevent unintended heap allocation or capture, but for async operations it is not possible due to .NET's structure, which SecBuff has AcquireAsync for this spesific case.

Contributing

SecBuff is developed by LunaluxLTD (Ata İlhan Köktürk).

Contributions are welcome. For security-related issues, please use a responsible disclosure process via a.kokturk@lunalux.com.tr. General improvements and discussions can be submitted via pull requests or issues.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net8.0-windows7.0 is compatible.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net9.0-windows7.0 is compatible.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed.  net10.0-windows7.0 is compatible. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.0 99 4/29/2026
1.0.0-preview.1 63 3/26/2026