Groups | Search | Server Info | Login | Register

Groups > comp.lang.java.security > #309

Re: Zeroization and compiler optimization

Show all headers | View raw

Am 05.01.2015 um 13:36 schrieb Lothar Kimmeringer:
> Beloumi wrote:
> 
>> Sensitive data like keys and passwords should be zeroized immediately
>> which is usually done by Arrays.fill(...).
>> A compiler may treat this as dead code and it may be eliminated by an
>> optimization.
>> Does anybody knows if this is the case for common Java compilers like
>> javac, ejc... ?
> 
> You can try it out by giving the created byte-code to a decompiler.
> I don't expect that to happen but would be a bit concerned about
> the Hotspot during runtime. This might throw out that particular
> part of the code since it's analyzed to be dead.
> 
> 
> Regards, Lothar
> 
Thanks for the hint. You're right. The bytecode compiler might not be
the most problematic point for zeroization. The optimization in Hotspot
might be “better” than others, but as I know all JIT-compilers can do
dead code elimination. Is there also a way to figure out if they do?
Beloumi

Back to comp.lang.java.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-01-04 17:52 +0100
  Re: Zeroization and compiler optimization Lothar Kimmeringer <news200709@kimmeringer.de> - 2015-01-05 13:36 +0100
    Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-01-06 12:55 +0100
      Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-06-12 09:34 +0200
        Re: Zeroization and compiler optimization Mike Amling <mamling@chaff.us> - 2015-07-06 10:06 -0500
          Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-07-06 23:24 +0200

csiph-web