JavaOne 2016 - JVM assisted sensitive data
-
Upload
charlie-gracie -
Category
Software
-
view
75 -
download
2
Transcript of JavaOne 2016 - JVM assisted sensitive data
JVM Assisted Clearing of Sensitive DataCharlie GracieAdvisory Software DeveloperIBM Runtime TechnologiesSeptember 21, 2016
2
• Software developer at IBM on the J9 Java VM since 2004• Garbage collection architect • Also a project lead on the Eclipse OMR project
– https://github.com/eclipse/omr– https://eclipse.org/omr
Who am I
3
Sensitive data
4
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
Sensitive data
5
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
• Encryption keys, certificates, etc.
Sensitive data
6
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
• Encryption keys, certificates, etc.• Other confidential data
Sensitive data
7
How is this a problem?
8
• Attacks like heart bleed
How is this a problem?
9
• Attacks like heart bleed• Transmitting diagnostic files for support
How is this a problem?
10
• Attacks like heart bleed• Transmitting diagnostic files for support
# An unexpected error has been detected by HotSpot Virtual Machine:## SIGSEGV (0xb) at pc=0x417789d7, pid=21139, tid=1024## Java VM: Java HotSpot(TM) Server VM (6-beta2-b63 mixed mode)# Problematic frame:# C [libApplication.so+0x9d7]
How is this a problem?
11
• Attacks like heart bleed• Transmitting diagnostic files for support• Running monitoring tools
How is this a problem?
12
• Do not store sensitive data on the heap
Solution
13
• Do not store sensitive data on the heap• Limit the time it is on the heap• Use char[] instead of Strings• Hash char[] data so it isn’t in clear text
Best practices
14
• Do not rely on the GC– Data may still be present hours after it is no longer used!
• Arrays.fill(user.password, 0);
• user.SIN = 0;
Clear the data yourself
15
• Strings are immutable in Java• Strings could be cached in the intern() list• JPasswordField getPassword() returns char[]• Exceptions/logging may print Object.toString
– A string will print its contents– A char[] will print the memory location
Use char[] instead Strings
16
• Hash the char[] data as soon as possible– No clear text on the heap
• This adds another level of protection
Hash char[] data
17
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
18
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
19
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
20
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
21
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero the hashed passwordArrays.fill(password, '0');
22
• Can I still find the data after you clear it?
Is that enough?
23
• Can I still find the data after you clear it?• Yes, it is possible!
Is that enough?
24
1. Perform a copy collection in the young generation2. Defragment the tenure area
GC object movement
25
Compaction example
26
Compaction example
27
Compaction example
28
Compaction example
29
Compaction example
30
• Provide new APIs to create sensitive objects• After object movement the GC will clear the old locations
– Only for sensitive objects• On object death the GC could clear the data
– This would likely be an optional feature– You still should clear it yourself
• Tooling can be provided to clean diagnostic files
My proposal
31
• Provide a set of APIs for allocating sensitive objects• Provide an API for converting an object to a sensitive
object• Provide an API to clear the object
New APIs
32
• APIs should be implementable by all JVMs– JVM is free to track objects in the most efficient way for that JVM
• No API to query the list of sensitive objects• No API to make a sensitive object not sensitive
SensitiveObjects
33
• Allocation1. Array.newSensitiveInstance(Class<?> componentType, int length)2. Array.newSensitiveInstance(Class<?> componentType, int…
dimensions)3. Class.newSenstiveInstance()4. Constructor.newSensitiveInstance(Object… initArgs)
New APIs
34
• Converting and clearing1. SensitiveObject.convertToSensitiveInstance(Object object)2. SensitiveObject.clearData(Object object)
New APIs
35
• Small cost per object that is moved– Need to clear the data– JVMs already use very optimized versions of memory
clearing• Clearing dead objects
– Likely causes extra list management for sensitive objects– Forces the GC to visit dead objects
• Overhead at allocation time– GC has to mark this object as sensitive
GC cost for sensitive objects
36
• Clean sensitive objects when creating the files• Post process the files to clean sensitive data
Diagnostic files
37
• Create a JSR/JEP for the proposal• Get feedback from you the developers
Next steps
38
• Limit the time sensitive data is on the heap• Do not store sensitive data in String objects• Hash or obfuscate the data when possible• Think about my proposal and provide feedback
Points to takeaway
Thank You!
Charlie Gracie| [email protected] | @crgracie