javaone 2016 - jvm assisted sensitive data

JVM Assisted Clearing of Sensitive DataCharlie GracieAdvisory Software DeveloperIBM Runtime TechnologiesSeptember 21, 2016

2

• Software developer at IBM on the J9 Java VM since 2004• Garbage collection architect • Also a project lead on the Eclipse OMR project

– https://github.com/eclipse/omr– https://eclipse.org/omr

Who am I

3

Sensitive data

4

• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.

Sensitive data

5


• Encryption keys, certificates, etc.

Sensitive data

6


• Encryption keys, certificates, etc.• Other confidential data

Sensitive data

7

How is this a problem?

8

• Attacks like heart bleed


9

• Attacks like heart bleed• Transmitting diagnostic files for support


10

• Attacks like heart bleed• Transmitting diagnostic files for support

# An unexpected error has been detected by HotSpot Virtual Machine:## SIGSEGV (0xb) at pc=0x417789d7, pid=21139, tid=1024## Java VM: Java HotSpot(TM) Server VM (6-beta2-b63 mixed mode)# Problematic frame:# C [libApplication.so+0x9d7]


11

• Attacks like heart bleed• Transmitting diagnostic files for support• Running monitoring tools


12

• Do not store sensitive data on the heap

Solution

13

• Do not store sensitive data on the heap• Limit the time it is on the heap• Use char[] instead of Strings• Hash char[] data so it isn’t in clear text

Best practices

14

• Do not rely on the GC– Data may still be present hours after it is no longer used!

• Arrays.fill(user.password, 0);

• user.SIN = 0;

Clear the data yourself

15

• Strings are immutable in Java• Strings could be cached in the intern() list• JPasswordField getPassword() returns char[]• Exceptions/logging may print Object.toString

– A string will print its contents– A char[] will print the memory location

Use char[] instead Strings

16

• Hash the char[] data as soon as possible– No clear text on the heap

• This adds another level of protection

Hash char[] data

17

Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();

// Hash the password in place in the arraysecureHash(password);

// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);

// Zero out the hashed password, for security.Arrays.fill(password, '0');

18





19





20





21




// Zero the hashed passwordArrays.fill(password, '0');

22

• Can I still find the data after you clear it?

Is that enough?

23

• Can I still find the data after you clear it?• Yes, it is possible!

Is that enough?

24

1. Perform a copy collection in the young generation2. Defragment the tenure area

GC object movement

25

Compaction example

26

Compaction example

27

Compaction example

28

Compaction example

29

Compaction example

30

• Provide new APIs to create sensitive objects• After object movement the GC will clear the old locations

– Only for sensitive objects• On object death the GC could clear the data

– This would likely be an optional feature– You still should clear it yourself

• Tooling can be provided to clean diagnostic files

My proposal

31

• Provide a set of APIs for allocating sensitive objects• Provide an API for converting an object to a sensitive

object• Provide an API to clear the object

New APIs

32

• APIs should be implementable by all JVMs– JVM is free to track objects in the most efficient way for that JVM

• No API to query the list of sensitive objects• No API to make a sensitive object not sensitive

SensitiveObjects

33

• Allocation1. Array.newSensitiveInstance(Class<?> componentType, int length)2. Array.newSensitiveInstance(Class<?> componentType, int…

dimensions)3. Class.newSenstiveInstance()4. Constructor.newSensitiveInstance(Object… initArgs)

New APIs

34

• Converting and clearing1. SensitiveObject.convertToSensitiveInstance(Object object)2. SensitiveObject.clearData(Object object)

New APIs

35

• Small cost per object that is moved– Need to clear the data– JVMs already use very optimized versions of memory

clearing• Clearing dead objects

– Likely causes extra list management for sensitive objects– Forces the GC to visit dead objects

• Overhead at allocation time– GC has to mark this object as sensitive

GC cost for sensitive objects

36

• Clean sensitive objects when creating the files• Post process the files to clean sensitive data

Diagnostic files

37

• Create a JSR/JEP for the proposal• Get feedback from you the developers

Next steps

38

• Limit the time sensitive data is on the heap• Do not store sensitive data in String objects• Hash or obfuscate the data when possible• Think about my proposal and provide feedback

Points to takeaway

Thank You!

Charlie Gracie| [email protected] | @crgracie