SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Fred Long

Saved on

compared with

New Version 40

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Currently, complete mitigation requires support from the underlying operating system. For instance, if swapping-out of sensitive data is an issue, a secure operating system that disables swapping and hibernation is indispensable.

Noncompliant Code Example

This noncompliant code example reads login information from the console and stores the password as a String object. The credentials remain exposed until the garbage collector reclaims the memory associated with the String objects.

Code Block
bgColor#FFCCCC
class Password {
  public static void main (String args[]) throws IOException {
    Console c = System.console();
      if (c == null) {
        System.err.println("No console.");
        System.exit(1);
      }

      String login = c.readLine("Enter your user name: ");
      String password = c.readLine("Enter your password: ");

      if (!verify(login, password)) {
        throw new IOException("Invalid Credentials");     
      }
      // ...
  }

  // Dummy verify method, always returns true   
  private static final boolean verify(String login, String password) {
    return true;
  }
}

Compliant Solution

This compliant solution uses the Console.readPassword() method to obtain the password from the console. This method allows the password to be returned as a sequence of characters rather than as a String object. Consequently, the programmer can clear the password from the array immediately after use. The method also disables echoing of the password to the console.

Code Block
bgColor#ccccff
class Password {
  public static void main (String args[]) throws IOException {
    Console c = System.console();
    
    if (c == null) {
      System.err.println("No console.");
      System.exit(1);
    }

    String login = c.readLine("Enter your user name: ");
    char [] password = c.readPassword("Enter your password: ");
  
    if (!verify(login, password)) {
      throw new IOException("Invalid Credentials");     
    }
  
    // Clear the password
    Arrays.fill(password, ' ');
  }

  // Dummy verify method, always returns true   
  private static final boolean verify(String login, char[] password) {
    return true;
  }
}

Noncompliant Code Example

This noncompliant code example uses a BufferedReader to wrap an InputStreamReader object so that sensitive data can be read from a file.

Code Block
bgColor#FFCCCC
BufferedReader br = new BufferedReader(new InputStreamReader(
  new FileInputStream("file")));
// Read from the file

Compliant Solution

This compliant solution uses a direct-allocated NIO buffer to read sensitive data from the file. The data can be cleared immediately after use, and is not cached or buffered at multiple locations. It exists only in the system memory.

...

Note that manual clearing of the buffer data is mandatory because direct buffers are exempt from garbage collection.

Exceptions

Anchor
EX0
EX0

EX0: This rule may be violated when both
1. It can be proved that the code is free from other errors that can expose the sensitive data, and also
2. Attackers lack physical access to the target machine.

Risk Assessment

Failure to limit the lifetime of sensitive data can lead to information leaks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC10-J

medium

likely

medium

P12

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Wiki Markup
\[java:[API 2006|AA. Bibliography#API 06]\] Class {{java.nio.ByteBuffer}}
\[java:[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 524|http://cwe.mitre.org/data/definitions/524.html] "Information Exposure Through Caching", [CWE ID 528|http://cwe.mitre.org/data/definitions/528.html] "Exposure of Core Dump File to an Unauthorized Control Sphere", [CWE ID 215|http://cwe.mitre.org/data/definitions/215.html] "Information Exposure Through Debug Information", [CWE ID 534|http://cwe.mitre.org/data/definitions/534.html] "Information Exposure Through Debug Log Files", [CWE ID 526|http://cwe.mitre.org/data/definitions/526.html] "Information Exposure Through Environmental Variables" and [CWE ID 226|http://cwe.mitre.org/data/definitions/226.html] "Sensitive Information Uncleared Before Release"
\[java:[Sun 2006|AA. Bibliography#Sun 06]\] [Reading ASCII Passwords From an InputStream Example|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ReadPassword] (JCA Reference Guide)
\[java:[Tutorials 2008|AA. Bibliography#Tutorials 08]\] [I/O from the Command Line|http://java.sun.com/docs/books/tutorial/essential/io/cl.html]

...