Download - JavaOne 2016 - JVM assisted sensitive data
![Page 1: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/1.jpg)
JVM Assisted Clearing of Sensitive DataCharlie GracieAdvisory Software DeveloperIBM Runtime TechnologiesSeptember 21, 2016
![Page 2: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/2.jpg)
2
• Software developer at IBM on the J9 Java VM since 2004• Garbage collection architect • Also a project lead on the Eclipse OMR project
– https://github.com/eclipse/omr– https://eclipse.org/omr
Who am I
![Page 3: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/3.jpg)
3
Sensitive data
![Page 4: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/4.jpg)
4
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
Sensitive data
![Page 5: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/5.jpg)
5
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
• Encryption keys, certificates, etc.
Sensitive data
![Page 6: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/6.jpg)
6
• Sensitive Personal Information (SPI)– SIN, passwords, credit card numbers, etc.
• Encryption keys, certificates, etc.• Other confidential data
Sensitive data
![Page 7: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/7.jpg)
7
How is this a problem?
![Page 8: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/8.jpg)
8
• Attacks like heart bleed
How is this a problem?
![Page 9: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/9.jpg)
9
• Attacks like heart bleed• Transmitting diagnostic files for support
How is this a problem?
![Page 10: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/10.jpg)
10
• Attacks like heart bleed• Transmitting diagnostic files for support
# An unexpected error has been detected by HotSpot Virtual Machine:## SIGSEGV (0xb) at pc=0x417789d7, pid=21139, tid=1024## Java VM: Java HotSpot(TM) Server VM (6-beta2-b63 mixed mode)# Problematic frame:# C [libApplication.so+0x9d7]
How is this a problem?
![Page 11: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/11.jpg)
11
• Attacks like heart bleed• Transmitting diagnostic files for support• Running monitoring tools
How is this a problem?
![Page 12: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/12.jpg)
12
• Do not store sensitive data on the heap
Solution
![Page 13: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/13.jpg)
13
• Do not store sensitive data on the heap• Limit the time it is on the heap• Use char[] instead of Strings• Hash char[] data so it isn’t in clear text
Best practices
![Page 14: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/14.jpg)
14
• Do not rely on the GC– Data may still be present hours after it is no longer used!
• Arrays.fill(user.password, 0);
• user.SIN = 0;
Clear the data yourself
![Page 15: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/15.jpg)
15
• Strings are immutable in Java• Strings could be cached in the intern() list• JPasswordField getPassword() returns char[]• Exceptions/logging may print Object.toString
– A string will print its contents– A char[] will print the memory location
Use char[] instead Strings
![Page 16: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/16.jpg)
16
• Hash the char[] data as soon as possible– No clear text on the heap
• This adds another level of protection
Hash char[] data
![Page 17: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/17.jpg)
17
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
![Page 18: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/18.jpg)
18
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
![Page 19: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/19.jpg)
19
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
![Page 20: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/20.jpg)
20
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero out the hashed password, for security.Arrays.fill(password, '0');
![Page 21: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/21.jpg)
21
Example to handle passwordsString username = usernameField.getText(); char[] password = passwordField.getPassword();
// Hash the password in place in the arraysecureHash(password);
// Check to see if the username / password combo are validbool isValidLogin = isPasswordCorrect(username, password);
// Zero the hashed passwordArrays.fill(password, '0');
![Page 22: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/22.jpg)
22
• Can I still find the data after you clear it?
Is that enough?
![Page 23: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/23.jpg)
23
• Can I still find the data after you clear it?• Yes, it is possible!
Is that enough?
![Page 24: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/24.jpg)
24
1. Perform a copy collection in the young generation2. Defragment the tenure area
GC object movement
![Page 25: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/25.jpg)
25
Compaction example
![Page 26: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/26.jpg)
26
Compaction example
![Page 27: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/27.jpg)
27
Compaction example
![Page 28: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/28.jpg)
28
Compaction example
![Page 29: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/29.jpg)
29
Compaction example
![Page 30: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/30.jpg)
30
• Provide new APIs to create sensitive objects• After object movement the GC will clear the old locations
– Only for sensitive objects• On object death the GC could clear the data
– This would likely be an optional feature– You still should clear it yourself
• Tooling can be provided to clean diagnostic files
My proposal
![Page 31: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/31.jpg)
31
• Provide a set of APIs for allocating sensitive objects• Provide an API for converting an object to a sensitive
object• Provide an API to clear the object
New APIs
![Page 32: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/32.jpg)
32
• APIs should be implementable by all JVMs– JVM is free to track objects in the most efficient way for that JVM
• No API to query the list of sensitive objects• No API to make a sensitive object not sensitive
SensitiveObjects
![Page 33: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/33.jpg)
33
• Allocation1. Array.newSensitiveInstance(Class<?> componentType, int length)2. Array.newSensitiveInstance(Class<?> componentType, int…
dimensions)3. Class.newSenstiveInstance()4. Constructor.newSensitiveInstance(Object… initArgs)
New APIs
![Page 34: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/34.jpg)
34
• Converting and clearing1. SensitiveObject.convertToSensitiveInstance(Object object)2. SensitiveObject.clearData(Object object)
New APIs
![Page 35: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/35.jpg)
35
• Small cost per object that is moved– Need to clear the data– JVMs already use very optimized versions of memory
clearing• Clearing dead objects
– Likely causes extra list management for sensitive objects– Forces the GC to visit dead objects
• Overhead at allocation time– GC has to mark this object as sensitive
GC cost for sensitive objects
![Page 36: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/36.jpg)
36
• Clean sensitive objects when creating the files• Post process the files to clean sensitive data
Diagnostic files
![Page 37: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/37.jpg)
37
• Create a JSR/JEP for the proposal• Get feedback from you the developers
Next steps
![Page 38: JavaOne 2016 - JVM assisted sensitive data](https://reader030.vdocument.in/reader030/viewer/2022013013/58778c031a28ab0f778b45bf/html5/thumbnails/38.jpg)
38
• Limit the time sensitive data is on the heap• Do not store sensitive data in String objects• Hash or obfuscate the data when possible• Think about my proposal and provide feedback
Points to takeaway