使用java.lang.String存储敏感数据是否有害?
[英]Is it harmful to use java.lang.String to store sensitive data?
问题描述
Because Java string objects are immutable and the garbage collector asynchronous, storing authentication information in strings prevents one sort of security in favor of thread safety. 
因为Java字符串对象是不可变的,并且垃圾回收器是异步的,所以将身份验证信息存储在字符串中会阻止一种有利于线程安全的安全性。
Securely handling such information requires mutability, ie zeroing out memory previously used to store sensitive information. 安全地处理此类信息需要可变性,即将以前用于存储敏感信息的内存清零。
Assume you may be using a version of openssl with the HeartBleed vulnerability. 假设您正在使用带有HeartBleed漏洞的openssl版本。
Is it not the case that a naive implementation of authentication may result in JVM memory being littered with usernames and passwords? 幼稚的身份验证实现是否可能导致JVM内存堆满用户名和密码?
Should java.lang.string be avoided altogether if you can't know a priori that the information is not sensitive? 如果您不知道信息不敏感,就应该完全避免使用java.lang.string吗?
And as a side-question, what can the Jvm do to mitigate the risk? 另外,Jvm可以采取什么措施来减轻风险? I'm not aware of a switch a la "eagerly zero-fill reclaimed memory ASAP. " 我不知道“尽快将零填充回收的内存”切换为“ la”。
1 个解决方案
解决方案1
3 已采纳 2014-06-07 18:59:07
I am not much of a crypto expert, but I think this depends on your assessment of the threat model. 我不是加密专家,但是我认为这取决于您对威胁模型的评估。
If you can assume that an attacker can read random parts of memory, I'm honestly not sure how you can design a cryptographically secure system. 如果您可以假设攻击者可以读取内存的随机部分,那么我确实不确定您如何设计密码安全的系统。 After all, an attacker might be able to extract your secret key as soon as you pull it into memory. 毕竟,攻击者只要将您的秘密密钥拉入内存,便可以将其提取出来。 If you assume that attackers can do this, putting in extra protections to clear memory as fast as possible won't change the fact that your system is still vulnerable. 如果您认为攻击者可以做到这一点,那么采取额外的保护措施以尽快清除内存不会改变您的系统仍然容易受到攻击的事实。 An attacker with any advance knowledge of the timing of the system could break into it. 拥有系统定时知识的攻击者可能会闯入其中。
If you don't assume that an attacker can do this, then the security concerns of keeping old strings in memory are less important. 如果您不认为攻击者可以这样做,那么将旧字符串保留在内存中的安全性考虑就不那么重要了。 Java's language-level security features should ensure that an attacker who can compromise the JVM can't see the expired string objects. Java的语言级安全性功能应确保可以危害JVM的攻击者看不到过期的字符串对象。 If you don't trust Java's implementation to protect this, then I don't think the fault is more with the JVM than with the string objects. 如果您不信任Java的实现来保护这一点,那么我认为问题不在于JVM,而不仅仅是字符串对象。
More generally, I think the first question to ask is what you can assume an attacker can do. 更普遍地说,我认为要问的第一个问题是您可以假设攻击者可以做什么。 If you think that your system might be vulnerable to someone scanning the contents of RAM, then I think you have a much bigger issue than garbage collectors not running quickly enough. 如果您认为您的系统可能容易受到某人扫描RAM内容的攻击,那么我认为您要比垃圾收集器没有足够快地运行有一个更大的问题。 If you think that someone might be able to run arbitrary Java code, then I don't think it's a problem. 如果您认为某人可能能够运行任意Java代码,那么我认为这不是问题。 If you think that someone might freeze the computer and carry it to a lab to inspect RAM, I think you have larger problems to worry about. 如果您认为有人可能冻结计算机并将其带到实验室检查RAM,那么我认为您有更大的问题要担心。
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.