Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsreader4.netcologne.de!news.netcologne.de!.POSTED!not-for-mail From: Beloumi Newsgroups: comp.lang.java.security Subject: Re: Zeroization and compiler optimization Date: Tue, 06 Jan 2015 12:55:33 +0100 Organization: news.netcologne.de Lines: 24 Distribution: world Message-ID: References: <4knliqvbk6hc$.dlg@kimmeringer.de> NNTP-Posting-Host: cable-78-34-5-45.netcologne.de Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Trace: newsreader4.netcologne.de 1420545330 21806 78.34.5.45 (6 Jan 2015 11:55:30 GMT) X-Complaints-To: abuse@netcologne.de NNTP-Posting-Date: Tue, 6 Jan 2015 11:55:30 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 In-Reply-To: <4knliqvbk6hc$.dlg@kimmeringer.de> Xref: csiph.com comp.lang.java.security:309 Am 05.01.2015 um 13:36 schrieb Lothar Kimmeringer: > Beloumi wrote: > >> Sensitive data like keys and passwords should be zeroized immediately >> which is usually done by Arrays.fill(...). >> A compiler may treat this as dead code and it may be eliminated by an >> optimization. >> Does anybody knows if this is the case for common Java compilers like >> javac, ejc... ? > > You can try it out by giving the created byte-code to a decompiler. > I don't expect that to happen but would be a bit concerned about > the Hotspot during runtime. This might throw out that particular > part of the code since it's analyzed to be dead. > > > Regards, Lothar > Thanks for the hint. You're right. The bytecode compiler might not be the most problematic point for zeroization. The optimization in Hotspot might be “better” than others, but as I know all JIT-compilers can do dead code elimination. Is there also a way to figure out if they do? Beloumi