Sensitive data is vulnerable to compromise. An adversary who has control of the file system may be able to access such data if the application:
- uses objects to store sensitive data whose contents are not cleared or garbage-collected after use
- has memory pages that can be swapped out to disk as required by the operating system (e.g., to perform memory management tasks and or to support hibernation)
- uses holds sensitive data in a buffer to hold sensitive data (such as
BufferedReader) that retains copies of the data in the OS cache or in memory - bases its control flow on reflection that allows circumventing countermeasures to limit the lifetime of sensitive variables
- reveals sensitive data in debugging messages, log files, environment variables, or through thread and core dumps
...
Currently, complete mitigation requires support from the underlying operating system. For instance, if swapping out of sensitive data out to disk is an issue, a secure operating system that disables swapping and hibernation is indispensable.
...