Java Reference
In-Depth Information
4.
Details of Java's fine-grained security mechanism
1. Limit the lifetime of sensitive data
Sensitive data in memory can be vulnerable to compromise. An adversary who can ex-
ecute code on the same system as an application may be able to access such data if the
application
Uses objects to store sensitive data whose contents are not cleared or garbage-col-
lected after use
Has memory pages that can be swapped out to disk as required by the operating
system (for example, to perform memory management tasks or to support hi-
bernation)
Holds sensitive data in a buffer (such as
BufferedReader
) that retains copies of
the data in the OS cache or in memory
Bases its control flow on reflection that allows countermeasures to circumvent the
limiting of the lifetime of sensitive variables
Reveals sensitive data in debugging messages, log files, environment variables, or
through thread and core dumps
Sensitive data leaks become more likely if the memory containing the data is not
cleared after using the data. To limit the risk of exposure, programs must minimize the
lifetime of sensitive data.
Complete mitigation (that is, foolproof protection of data in memory) requires support
fromtheunderlyingoperatingsystemandJavaVirtualMachine.Forexample,ifswapping
sensitivedataouttodiskisanissue,asecureoperatingsystemthatdisablesswappingand
hibernation is required.
Noncompliant Code Example
This noncompliant code example reads user name and password information from the
console and stores the password as a
String
object. The credentials remain exposed until
the garbage collector reclaims the memory associated with this
String
.
class Password {
public static void main (String args[]) throws IOException {
Console c = System.console();
if (c == null) {
System.err.println("No console.");
