...
Currently, complete mitigation (that is, complete protection of data in memory) requires support from the underlying operating system and Java Virtual Machine. For instance, if swapping sensitive data out to disk is an issue, a secure operating system that disables swapping and hibernation is required.
Noncompliant Code Example
This noncompliant code example reads login information from the console and stores the password as a String
object. The credentials remain exposed until the garbage collector reclaims the memory associated with the String
.
Code Block | ||
---|---|---|
| ||
class Password { public static void main (String args[]) throws IOException { Console c = System.console(); if (c == null) { System.err.println("No console."); System.exit(1); } String login = c.readLine("Enter your user name: "); String password = c.readLine("Enter your password: "); if (!verify(login, password)) { throw new SecurityException("Invalid Credentials"); } // ... } // Dummy verify method, always returns true private static final boolean verify(String login, String password) { return true; } } |
Compliant Solution
This compliant solution uses the Console.readPassword()
method to obtain the password from the console. This method allows the password to be returned as a sequence of characters rather than as a String
object. Consequently, the programmer can clear the password from the array immediately after use. The method also disables echoing of the password to the console.
Code Block | ||
---|---|---|
| ||
class Password { public static void main (String args[]) throws IOException { Console c = System.console(); if (c == null) { System.err.println("No console."); System.exit(1); } String login = c.readLine("Enter your user name: "); char[] password = c.readPassword("Enter your password: "); if (!verify(login, password)) { throw new SecurityException("Invalid Credentials"); } // Clear the password Arrays.fill(password, ' '); } // Dummy verify method, always returns true private static final boolean verify(String login, char[] password) { return true; } } |
Noncompliant Code Example
This noncompliant code example uses a BufferedReader
to wrap an InputStreamReader
object so that sensitive data can be read from a file:
Code Block | ||
---|---|---|
| ||
void exampleFuntion() throws IOException{ BufferedReader br = new BufferedReader(new InputStreamReader( new FileInputStream("file"))); // Read from the file } |
Compliant Solution
This compliant solution uses a directly allocated NIO (new I/O) buffer to read sensitive data from the file. The data can be cleared immediately after use and is not cached or buffered at multiple locations. It exists only in the system memory.
...
Note that manual clearing of the buffer data is mandatory because direct buffers are exempt from garbage collection.
Applicability
Failure to limit the lifetime of sensitive data can lead to information leaks.
...
- It can be proved that the code is free from other errors that can expose the sensitive data.
- Attackers lack physical access to the target machine.
Bibliography
[API 2011] | Class ByteBuffer |
[Oracle 2012b] | Reading ASCII Passwords from an InputStream Example (Java Cryptography Architecture [JCA] Reference Guide) |
[Tutorials 2008] | I/O from the Command Line |
...