Sensitive data may be compromised if its lifetime is not limited to the period of its use. An adversary who has control of the file system may be able to access such data if the application:
- uses objects to store sensitive data whose contents are not cleared or garbage collected after use
- has memory pages that can be swapped out to disk as required by the operating system (to perform memory management tasks and support hibernation)
- uses a buffer to hold sensitive data (such as
BufferedReader) that retains copies of the data in the OS cache or in memory - bases its control flow on Reflection that allows circumventing any countermeasures to limit the lifetime of sensitive variables
- reveals sensitive data in debugging messages, log files, environment variables or through thread and core dumps
...
Note that manual clearing of the buffer data is mandatory because direct buffers are not subject to garbage collection.
Exceptions
MSC10-EX1: This guideline may be violated iff:if
1. It can be proved that the code is free from other errors that can expose the sensitive data.
2. An attacker does not have physical access to the target machine.
...
Failure to limit the lifetime of sensitive data can lead to information leaks.
Rule Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC10-J | medium | likely | medium | P12 | L1 |
...