Page History

Sensitive data may be compromised if its lifetime is not limited to the period of its useis vulnerable to compromise. An adversary who has control of the file system may be able to access such data if the application

• uses objects to store sensitive data whose contents are not cleared or garbage collected after use
• has memory pages that can be swapped out to disk as required by the operating system (to perform memory management tasks and support hibernation)
• uses a buffer to hold sensitive data (such as BufferedReader) that retains copies of the data in the OS cache or in memory
• bases its control flow on Reflection that allows circumventing any countermeasures to limit the lifetime of sensitive variables
• reveals sensitive data in debugging messages, log files, environment variables or through thread and core dumps

Using such attacks to compromise sensitive data is far easier for live data than for data that has been cleared or reclaimed. Sensitive data that remains live beyond the minimum period required for its use has an unnecessarily large window of vulnerability. Consequently, programs must minimize the lifetime of sensitive data.

Currently, complete mitigation requires support from the underlying operating system. For instance, if swapping-out of sensitive data is an issue, a secure operating system that disables swapping and hibernation is indispensable.

...

This compliant solution uses the Console.readPassword() method to obtain the password from the console. This method allows the password to be returned as a sequence of characters rather than as opposed to a String object. This allows Consequently, the programmer to can clear the password from the array immediately after use. The method also disables echoing of the password to the console.

...

This compliant solution uses a direct-allocated NIO buffer to read sensitive data from the file. The data can be cleared immediately after use, and is not cached or buffered at multiple locations. It exists only in the system memory.

...

Note that manual clearing of the buffer data is mandatory because direct buffers are not subject to exempt from garbage collection.

Exceptions

...

...

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...

\[[API 2006|AA. Bibliography#API 06]\] Class {{java.nio.ByteBuffer}}
\[[Tutorials 2008|AA. Bibliography#Tutorials 08]\] [I/O from the Command Line|http://java.sun.com/docs/books/tutorial/essential/io/cl.html]
\[[Sun 2006|AA. Bibliography#Sun 06]\] [Reading ASCII Passwords From an InputStream Example|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ReadPassword] (JCA Reference Guide)
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 524|http://cwe.mitre.org/data/definitions/524.html] "Information Leak Through Caching", [CWE ID 528|http://cwe.mitre.org/data/definitions/528.html] "Information Leak Through Core Dump Files", [CWE ID 215|http://cwe.mitre.org/data/definitions/215.html] "Information Leak Through Debug Information", [CWE ID 534|http://cwe.mitre.org/data/definitions/534.html] "Information Leak Through Debug Log Files", [CWE ID 526|http://cwe.mitre.org/data/definitions/526.html] "Information Leak Through Environmental Variables" and [CWE ID 226|http://cwe.mitre.org/data/definitions/226.html] "Sensitive Information Uncleared Before Release"
\[[Sun 2006|AA. Bibliography#Sun 06]\] [Reading ASCII Passwords From an InputStream Example|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ReadPassword] (JCA Reference Guide)
\[[Tutorials 2008|AA. Bibliography#Tutorials 08]\] [I/O from the Command Line|http://java.sun.com/docs/books/tutorial/essential/io/cl.html]

...

MSC09-J. Carefully design interfaces before releasing them      49. Miscellaneous (MSC)      MSC11-J. Do not assume infinite heap space