Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java'€™s garbage-collection feature provides significant benefits from a security perspective over non-garbage-collected languages such as C and C++. The garbage collector (GC) is designed to automatically reclaim unreachable memory and to avoid memory leaks. Although it the GC is quite adept at performing this task, a malicious attacker can nevertheless launch a denial-of-service (DoS) attack, such as by inducing abnormal heap memory allocation or abnormally prolonged object retention. For example, some versions of the garbage collector could need to halt all executing threads to keep up with incoming allocation requests that trigger increased heap management activity. System throughput rapidly diminishes in this scenario. Real-time systems, in particular, are vulnerable to a more subtle slow-heap-exhaustion DoS attack, perpetrated by stealing CPU cycles. An attacker can perform memory allocations in a way that increases the consumption of resources (such as CPU, battery power, and memory) without triggering an OutOfMemoryError. Writing garbage-collection-friendly code helps restrict many attack avenues.

...