Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.java.security > #309
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsreader4.netcologne.de!news.netcologne.de!.POSTED!not-for-mail |
|---|---|
| From | Beloumi <beloumi@riseup.net> |
| Newsgroups | comp.lang.java.security |
| Subject | Re: Zeroization and compiler optimization |
| Date | Tue, 06 Jan 2015 12:55:33 +0100 |
| Organization | news.netcologne.de |
| Lines | 24 |
| Distribution | world |
| Message-ID | <m8gifi$l9e$1@newsreader4.netcologne.de> (permalink) |
| References | <m8br50$a9j$1@newsreader4.netcologne.de> <4knliqvbk6hc$.dlg@kimmeringer.de> |
| NNTP-Posting-Host | cable-78-34-5-45.netcologne.de |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=windows-1252 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | newsreader4.netcologne.de 1420545330 21806 78.34.5.45 (6 Jan 2015 11:55:30 GMT) |
| X-Complaints-To | abuse@netcologne.de |
| NNTP-Posting-Date | Tue, 6 Jan 2015 11:55:30 +0000 (UTC) |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 |
| In-Reply-To | <4knliqvbk6hc$.dlg@kimmeringer.de> |
| Xref | csiph.com comp.lang.java.security:309 |
Show key headers only | View raw
Am 05.01.2015 um 13:36 schrieb Lothar Kimmeringer: > Beloumi wrote: > >> Sensitive data like keys and passwords should be zeroized immediately >> which is usually done by Arrays.fill(...). >> A compiler may treat this as dead code and it may be eliminated by an >> optimization. >> Does anybody knows if this is the case for common Java compilers like >> javac, ejc... ? > > You can try it out by giving the created byte-code to a decompiler. > I don't expect that to happen but would be a bit concerned about > the Hotspot during runtime. This might throw out that particular > part of the code since it's analyzed to be dead. > > > Regards, Lothar > Thanks for the hint. You're right. The bytecode compiler might not be the most problematic point for zeroization. The optimization in Hotspot might be “better” than others, but as I know all JIT-compilers can do dead code elimination. Is there also a way to figure out if they do? Beloumi
Back to comp.lang.java.security | Previous | Next — Previous in thread | Next in thread | Find similar
Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-01-04 17:52 +0100
Re: Zeroization and compiler optimization Lothar Kimmeringer <news200709@kimmeringer.de> - 2015-01-05 13:36 +0100
Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-01-06 12:55 +0100
Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-06-12 09:34 +0200
Re: Zeroization and compiler optimization Mike Amling <mamling@chaff.us> - 2015-07-06 10:06 -0500
Re: Zeroization and compiler optimization Beloumi <beloumi@riseup.net> - 2015-07-06 23:24 +0200
csiph-web