Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.security > #177

Re: passwords, Strings an

From "Wojtek" <wojtek@THRWHITE.remove-dii-this>
Subject Re: passwords, Strings an
Message-ID <mn.5a2d7d896331dd9d.70216@a.com> (permalink)
Newsgroups comp.lang.java.security
References <48c93561$0$25715$426a74cc@news.free.fr>
Date 2011-04-27 16:08 +0000
Organization TDS.net

Show all headers | View raw

  To: comp.lang.java.security
Fred wrote :
> Lothar Kimmeringer a ocrit :
>> Fred wrote:
>> 
>>> The problem is that the String that getParameter created is still there 
>>> ... containing a clear text password. And a memory dump could allow people 
>>> to read this password.
>>>
>>> My question is : Is there a way to totally discard a String's content from 
>>> the JVM's memory?
>> 
>> Strings are special in Java and you can't discard them easily
>> or intentionally.
>> 
>> A common way to handle passwords in cryptographic applications
>> is the use of character-array where you set the entries to
>> zero before discarding the reference. Due to the way Java
>> manages the memory this way still not ensures that there areen't
>> any copies of the array-values sitting around, but it's better
>> that the use of Strings where the references are stored in a
>> specific pool to be able to fulfil the Java-specification where
>> the following must work:
>> 
>> String a = "hello";
>> String b = "hello";
>> assertTrue(a == b);

As I understand it, the String "hello" is present in the source code. 
So the Java compiler places it into a string pool, where it exists as 
long as the JVM is alive (and longer until the memory the JVM occupied 
is over-written). This way less memory is used since both a and b refer 
to the same memory location. And this also explains why Strings are 
immutable.

However a String which is created while the application is running 
(user entered, read from file, HTML parameters) does not get put into 
the string pool. Indeed, such an action would quickly use up all 
available memory when reading large files or in long running Web 
applications.

So once the String object is garbage collected, the memory location is 
available for another object, and can be over-written.

And there is no easy way to determine what a series of characters 
represents in memory. A String object takes up memory, but the 
reference to it exists somewhere else. Since you are using a servlet, 
then the reference exists on the stack, while the String object exists 
in the heap.

You could request a garbage collection after you have finished with the 
password, then create a large garbage String from a random number 
genrator. This might over-write the memory.

> any solution?

Have you actually done a memory dump to see if the String value is 
visible?

Don't forget that the series of characters coming from the Web browser 
is placed into a String, then parsed out into a HashMap and then placed 
into the request. So already you have two copies and you have not yet 
extracted the String for processing.

All of this requires that the attacker has physical access to the 
server and has the rights to be able to run a memory dump program, and 
that the OS allows access to areas of memory not belonging to the 
program.

I would be more worried about a key logger on the client machine where 
a user enters the password into a Web browser.

-- 
Wojtek :-)

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

passwords, Strings and me "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Maarten Bodewes" <maarten.bodewes@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web