How to completely disable heap dumps for a java process?

Question

I would like to disable them to block anyone from gaining access to passwords stored in memory. What I found so far is

-XX:+DisableAttachMechanism

This blocks connections via i.e. jconsole but I can force jmap to get a dump like:

jmap -dump:file=/tmp/x.bin -F $PID

I can't seem to find any option to completely disable them:

Is there a way?

Thanks

I don't think you can. I've worked with heap dumps in the past and never ran across a way to prevent jmap from taking the dump. Don't store passwords in plaintext in memory. — Kon, Dec 02 '14 at 16:07
Why not send the dumps to `/dev/null`? That is, use `-XX:HeapDumpPath=/dev/null`. — RealSkeptic, Dec 02 '14 at 16:15
a hacker can manually run jmap -dump:file=/tmp/x.bin -F $PID and get a dump — kostas.kougios, Dec 03 '14 at 11:17

Sisyphus · Answer 1 · 2019-07-19T12:28:10.003

2

add jvm option -XX:+DisableAttachMechanism to disable jvm attach mechanism.
disable os debug mechanism. When jmap find the jvm don't support attach mechanism, it try os debug mechanism to dump the memory. for linux, it is ptrace syscall. So you can disable the ptrace syscall. for ubuntu, set kernel.yama.ptrace_scope = 3 in file /etc/sysctl.d/10-ptrace.conf and reboot.

edited Jul 19 '19 at 12:28

answered Jul 19 '19 at 10:59

Sisyphus

score 1 · Answer 2 · edited May 23 '17 at 12:13

1

I don't think there is a way to do this. Instead, I'd suggest storing the password off-heap using sun.misc.Unsafe objects. See the discussion here:

edited May 23 '17 at 12:13

Community

answered Dec 02 '14 at 19:04

Zeki

will someone be able to get the address of the off-heap location and then use a process dump to get the value? – kostas.kougios Dec 03 '14 at 11:15

2 Answers2