Passing sensitive data from C to Java

Question

I am developing a C program which has to invoke a Java main() through popen() and send some data as command line arguments to it. However, there is some more data that needs to be sent to Java from C which is somewhat sensitive in nature (not the password kinds, though).

I am trying to see if there is any other option besides encryption to send this extra data from C to Java. I am trying to avoid overheads as data is not as sensitive so as to go for encryption, but I am open to any suggestion in this regard.

I cannot send this extra data through popen() as it will be visible through ps -f .

Similarly, using sockets does not seem viable because tcpdump can reveal that information too.

I considered using shared mem (/dev/shm) but that too can be viewed or use hidden files. Since, this also comes with overheads of creating files for every invocation, I am not fully in favor.

I looked at ANON file mapping but I guess, I cannot use it in Java side. Similarly, using fmemopen() reference does not seem be possible through Java. Would FIFO pipes be a better option? Or can they also be read easily?

If I just resort to plain mmap() and write data to it ( not create it on disk - no O_CREAT in open call ), and not perform msynch would it remain entirely in memory? Can I then read in Java from it?

Is encryption my only option or am I missing something basic?

This link discusses sending plain data over to Java from C.

Answer 1

If a user can use tcpdump, the user has root access. This user can also put a debugger on your Java program and see exactly what it does, even before the data is encrypted. The only way to achieve what you want is to go for total obfuscation techniques and encryption, like the Skype client does ¹ .

But since you at the same time say, that the data is not that sensitive, it seems like overkill. Maybe a simple obfuscation technique so the output is not visible to a casual observer is enough? (Like Rocker suggested.) Either that, or make sure the "untrusted" user does not have root access on the server where your system (Java + C program) runs.

A decent ² obfuscation and probably a good trade-off, would be to use mmap() (or System V shared mem ) to communicate.

If you use the MAP_LOCKED option and MAP_ANONYMOUS , the memory area will not end up on disk. MAP_LOCKED prevents it from going to swap, and MAP_ANONYMOUS tells the OS to not use a backing file.

Also, did you consider using JNI instead, to access your C code? That way, your C code would be part of the Java process and the distrusted user would need a debugger to spy on what was going on.

---

^{1 The Skype client is not impossible to spy upon, but very hard. This comes at a price though, it must be extra costly maintain that code while keeping the obfuscation techniques intact. It is also an arms race between the Skype coders and the researchers trying to figure out how it works.}

^{2 It would stop me for a long while, I would have to read up a LOT on debugging techniques before I figured out what was even happening, and then a lot of work to figure out what was "talked" about between the two programs. A more talented person would probably decipher everything in at most an afternoon.}

Answer 2

Best way to avoide intensed user to use data is encr. If you still want other mechanism than one way is -
If your data contains mixture of multiple data types ie int float char* etc. than convert data into binary format. binary data is not readable by user directly. But intensed user if he want can convert back to original format. Its kind of encr only user can decr it if they want.

but this is not recommended. Use some standard encr.