Reputation: 1305
Java 11 - How to overwrite sensitive information in JVM- AND System-Memory (perhaps using System.gc()?)
Problem: How to forcefully overwrite system-memory in Java - More specifically: When secure keys must not stay longer than a few seconds in the memory: Neither in the jvm-memory, nor in the OS-Memory?
What I tried: Modifying the java garbage-collector implementation, so that it would for sure overwrite objects with random bytes, instead of just freeing them. However:
Everything I read about System.gc() showed me that I can never really rely on it, and that one should not use it in production. However, what if I know that I use a specific JVM? What if I know that I want to use the OpenJDK with Java 11 and that I configure the JVM to use a specific GC Implementation (to not let the JVM choose the GC)?
Question 1:
Can I then somehow be sure that System.gc() will trigger garbage collection 100% times?
Question 2:
Can I find out, what's the maximum duration between System.gc() has been called and the actual garbage collection will start? This is a significant part of the question! I could only find answers to the garbage-collection-efficiency itself (e.g. the throughput vs stop-the-world pause-times), but that is NOT the answer to this question. (Read myself through the whole documentation here)
Question 3: If the idea with the modified garbage collector is by far the worst idea to securely overwrite each occurence of various sensible java objects in the memory, then how could I otherwise overwrite those objects in the memory? Is it even possible with Java? It would be nice to be able to delete and overwrite these objects directly in the java-code, similar to freeing objects in C/C++? Are there other possibilities maybe outside java where I can overwrite each occurrence of such sensible information in the memory, which would have to be triggered as instantly as possible as soon as the java object is no longer in use?
My research so far:
- Official Java docs for Java 11
- Forcing Java virtual machine to run garbage collector [duplicate] from 2013
- When does System.gc() do anything from 2008
- System.gc() for garbage collection from 2013
- What does System.gc() guarantees to do? [duplicate] from 2013
- Does invoking System.gc() in java suggest garbage collection of the tenured generation as well as the young generation? from 2010
- Why is it bad practice to call System.gc()? from 2010
- How to force garbage collection in Java? from 2009
- Is there a destructor for Java? from 2008
- Explicitly call system.gc() in code [duplicate] from 2016
As you can see those are, except for the official docs, quite old, so:
Question 4:
Are there any newer insights available to the concern whether System.gc() behaves the same like 10 years ago?? Thanks!
*EDIT: I already use byte-arrays for the cases where those can be used. The question is about more complex Java-Objects with various different fields and properties, which have to be cleaned completely in the memory.
Upvotes: 2
Views: 541
Answers (1)
Reputation: 44960
Assuming you can store the security key in a byte[] or other primitive array it should be enough to zero the array after the key was read:
for (int i = 0; i < key.length; i++) {
key[i] = 0;
}
Above should result in byte[] key being fully overridden. Relying on GC here would be a mistake as it's unpredictable.
Upvotes: 4
Related Questions
- How can I securely wipe a confidential data in memory in java with guarantee it will not be 'optimized'?
- Java security: how to clear/zero-out memory associated with an object? (And/or ensure that is the only instance/copy of a particular variable)
- Enforcing JVM GC - for a good reason (I hope)
- How to purge definitively sensible data from JVM memory?
- Java SecurityManager - secure code before modification in runtime
- Java GC safepoint
- How do I replace Runtime.gc() with my own implementation?
- Restricting JVM not to invoke GC
- Setting Java's GC options from in an application
- Which JVM to choose for GC hacking?