Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JavaOne 2016 - JVM assisted sensitive data

302 views

Published on

Explain sensitive data, why this can be an issue and provide some simple techniques to improve your application. Also explain how the GC creates copies of your data and propose a solution for this issue.

Published in: Software
  • Be the first to comment

  • Be the first to like this

JavaOne 2016 - JVM assisted sensitive data

  1. 1. JVM Assisted Clearing of Sensitive Data Charlie Gracie Advisory Software Developer IBM Runtime Technologies September 21, 2016
  2. 2. 2 • Software developer at IBM on the J9 Java VM since 2004 • Garbage collection architect • Also a project lead on the Eclipse OMR project – https://github.com/eclipse/omr – https://eclipse.org/omr Who am I
  3. 3. 3 Sensitive data
  4. 4. 4 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. Sensitive data
  5. 5. 5 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. • Encryption keys, certificates, etc. Sensitive data
  6. 6. 6 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. • Encryption keys, certificates, etc. • Other confidential data Sensitive data
  7. 7. 7 How is this a problem?
  8. 8. 8 • Attacks like heart bleed How is this a problem?
  9. 9. 9 • Attacks like heart bleed • Transmitting diagnostic files for support How is this a problem?
  10. 10. 10 • Attacks like heart bleed • Transmitting diagnostic files for support # An unexpected error has been detected by HotSpot Virtual Machine: # # SIGSEGV (0xb) at pc=0x417789d7, pid=21139, tid=1024 # # Java VM: Java HotSpot(TM) Server VM (6-beta2-b63 mixed mode) # Problematic frame: # C [libApplication.so+0x9d7] How is this a problem?
  11. 11. 11 • Attacks like heart bleed • Transmitting diagnostic files for support • Running monitoring tools How is this a problem?
  12. 12. 12 • Do not store sensitive data on the heap Solution
  13. 13. 13 • Do not store sensitive data on the heap • Limit the time it is on the heap • Use char[] instead of Strings • Hash char[] data so it isn’t in clear text Best practices
  14. 14. 14 • Do not rely on the GC – Data may still be present hours after it is no longer used! • Arrays.fill(user.password, 0); • user.SIN = 0; Clear the data yourself
  15. 15. 15 • Strings are immutable in Java • Strings could be cached in the intern() list • JPasswordField getPassword() returns char[] • Exceptions/logging may print Object.toString – A string will print its contents – A char[] will print the memory location Use char[] instead Strings
  16. 16. 16 • Hash the char[] data as soon as possible – No clear text on the heap • This adds another level of protection Hash char[] data
  17. 17. 17 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
  18. 18. 18 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
  19. 19. 19 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
  20. 20. 20 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
  21. 21. 21 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero the hashed password Arrays.fill(password, '0');
  22. 22. 22 • Can I still find the data after you clear it? Is that enough?
  23. 23. 23 • Can I still find the data after you clear it? • Yes, it is possible! Is that enough?
  24. 24. 24 1. Perform a copy collection in the young generation 2. Defragment the tenure area GC object movement
  25. 25. 25 Compaction example
  26. 26. 26 Compaction example
  27. 27. 27 Compaction example
  28. 28. 28 Compaction example
  29. 29. 29 Compaction example
  30. 30. 30 • Provide new APIs to create sensitive objects • After object movement the GC will clear the old locations – Only for sensitive objects • On object death the GC could clear the data – This would likely be an optional feature – You still should clear it yourself • Tooling can be provided to clean diagnostic files My proposal
  31. 31. 31 • Provide a set of APIs for allocating sensitive objects • Provide an API for converting an object to a sensitive object • Provide an API to clear the object New APIs
  32. 32. 32 • APIs should be implementable by all JVMs – JVM is free to track objects in the most efficient way for that JVM • No API to query the list of sensitive objects • No API to make a sensitive object not sensitive SensitiveObjects
  33. 33. 33 • Allocation 1. Array.newSensitiveInstance(Class<?> componentType, int length) 2. Array.newSensitiveInstance(Class<?> componentType, int… dimensions) 3. Class.newSenstiveInstance() 4. Constructor.newSensitiveInstance(Object… initArgs) New APIs
  34. 34. 34 • Converting and clearing 1. SensitiveObject.convertToSensitiveInstance(Object object) 2. SensitiveObject.clearData(Object object) New APIs
  35. 35. 35 • Small cost per object that is moved – Need to clear the data – JVMs already use very optimized versions of memory clearing • Clearing dead objects – Likely causes extra list management for sensitive objects – Forces the GC to visit dead objects • Overhead at allocation time – GC has to mark this object as sensitive GC cost for sensitive objects
  36. 36. 36 • Clean sensitive objects when creating the files • Post process the files to clean sensitive data Diagnostic files
  37. 37. 37 • Create a JSR/JEP for the proposal • Get feedback from you the developers Next steps
  38. 38. 38 • Limit the time sensitive data is on the heap • Do not store sensitive data in String objects • Hash or obfuscate the data when possible • Think about my proposal and provide feedback Points to takeaway
  39. 39. Thank You! Charlie Gracie| cgracie@ca.ibm.com | @crgracie

×