Heap Inspection Security Vulnerability

Question

I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out the declaration of the password field.

private char[] passwordLength;

Could anyone help me out here, what more can I look for resolving this?

Answer 1

Heap Inspection is about sensitive information stored in the machine memory unencrypted, so that if an attacker performs a memory dump (for example, the Heartbleed bug), that information is compromised. Thus, simply holding that information makes it vulnerable.

One can mitigate this by storing such sensitive information in a secured manner, such as a GuardedString object instead of a String or a char array, or encrypting it and scrubbing the original short after.

For more information, see this CWE (describes C/C++ but same relevancy for Java).

Answer 2

Example approach to store secret information in JVM memory

IMHO you should use a SealedObject to store credential data encrypted inside your JVM memory.

You need following packages:

• java.security.SecureRandom
• javax.crypto.Cipher
• javax.crypto.KeyGenerator
• javax.crypto.SealedObject
• javax.crypto.SecretKey

So you create

• an initialized key generator which creates a secret key
• a cipher which is initialized by key and a secure random
• then you create a new sealed object using the cipher
• all storage and (temporary) loading of your credentials are done to/from the sealed object which replaces your char array.

A working example can be found at: https://github.com/Daimler/sechub/blob/3f176a8f4c00b7e8577c9e3bea847ecfc91974c3/sechub-commons-core/src/main/java/com/daimler/sechub/commons/core/security/CryptoAccess.java

Answer 3

See this answer on security.stackexchange.com for the question "Is it more secure to overwrite the value char[] in a String".

TLDR: You can't do much about it.

PS: As that is a sister stackexchange site, I am not copying the answer here (also, it is too long). If a moderator disagrees, fell free to copy/paste it.

Answer 4

Checkmarx Heap Inspection Security Vulnerability Hi all, i faced this one when i have taken String type variable for password in my Spring application. Like below

  class User {
     private String username;
     private String password;
         //setter 
         //getter
     }

Then to resolve this issue I have done following steps : 1. Create SecureString class like below :

   import java.security.SecureRandom;
   import java.util.Arrays;

   /**
    * This is not a string but a CharSequence that can be cleared of its memory.
    * Important for handling passwords. Represents text that should be kept
   * confidential, such as by deleting it from computer memory when no longer
   * needed or garbage collected.
   */

  /**
  * Created by Devendra on 16/04/2020
  */

  public class SecureString implements CharSequence {

    private final int[] chars;
    private final int[] pad;

    public SecureString(final CharSequence original) {
        this(0, original.length(), original);
    }

    public SecureString(final int start, final int end, final CharSequence original) {
        final int length = end - start;
        pad = new int[length];
        chars = new int[length];
        scramble(start, length, original);
    }

    @Override
    public char charAt(final int i) {
        return (char) (pad[i] ^ chars[i]);
    }

    @Override
    public int length() {
        return chars.length;
    }

    @Override
    public CharSequence subSequence(final int start, final int end) {
        return new SecureString(start, end, this);
    }

    /**
     * Convert array back to String but not using toString(). See toString() docs
     * below.
     */
    public String asString() {
        final char[] value = new char[chars.length];
        for (int i = 0; i < value.length; i++) {
            value[i] = charAt(i);
        }
        return new String(value);
    }

    /**
     * Manually clear the underlying array holding the characters
     */
    public void clear() {
        Arrays.fill(chars, '0');
        Arrays.fill(pad, 0);
    }

    /**
     * Protect against using this class in log statements.
     * <p>
     * {@inheritDoc}
     */
    @Override
    public String toString() {
        return "Secure:XXXXX";
    }

    /**
     * Called by garbage collector.
     * <p>
     * {@inheritDoc}
     */
    @Override
    public void finalize() throws Throwable {
        clear();
        super.finalize();
    }

    /**
     * Randomly pad the characters to not store the real character in memory.
     *
     * @param start start of the {@code CharSequence}
     * @param length length of the {@code CharSequence}
     * @param characters the {@code CharSequence} to scramble
     */
    private void scramble(final int start, final int length, final CharSequence 
    characters) {
        final SecureRandom random = new SecureRandom();
        for (int i = start; i < length; i++) {
            final char charAt = characters.charAt(i);
            pad[i] = random.nextInt();
            chars[i] = pad[i] ^ charAt;
        }
    }

}

2. Created custom property editor as :

   import java.beans.PropertyEditorSupport; import org.springframework.util.StringUtils;

   public class SecureStringEditor extends PropertyEditorSupport {
   
   
      @Override
       public String getAsText() {
          SecureString  value =(SecureString) getValue();
          SecureString  secStr = new SecureString(value);
           return (value != null) ? secStr.asString() : "";
       }
   
       @Override
       public void setAsText(String text) throws java.lang.IllegalArgumentException {
           if (StringUtils.isEmpty(text)) {
               setValue(null);
           } else {
               setValue(new SecureString(text));
           }
       }
   }
   

3. Register this custom property editor to spring-bean.xml file as :