3

So I have a program that has the user enter a passphrase. I only hold the passphrase for a few seconds in a char[] before overwriting it but I was wondering if there was a way in Java to prevent the OS from swapping this bit to disk/virtual memory/any more permanent storage than RAM? Research on the topic seems to say no, there is not a way but no where has given me a straight answer yet. I'm also not sure if I can achieve this by using mlock() somehow or by keeping a reference to the value active until I no longer need it.

Thanks!

Drew
  • 58
  • 4
  • _"I was wondering if there was a way in Java to prevent this from being swapped to virtual memory?"_ Please elaborate. – nom Jun 18 '15 at 22:52
  • Also, please define what **Virtual Memory** is according to you. – nom Jun 18 '15 at 22:53
  • You basically have to use a `char[]` and not a String. Overwrite the array with 0 or whatever when you're done. Not every API or framework will allow you to pass in a char[] for passwords, so you may have no choice about this. – markspace Jun 18 '15 at 22:55
  • 1
    Relevant: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – Louis Wasserman Jun 18 '15 at 22:55
  • @markspace: If you understand what the OP means by **Virtual Memory** please, is he reffering to the heap? – nom Jun 18 '15 at 23:00
  • @NabeelOmer I think he has no idea what virtual memory means. I think either heap or stack would constitute a security risk. Text (code) segments are usually write protected, so you can't store passwords there regardless. – markspace Jun 18 '15 at 23:03
  • @markspace: I also thought he had no idea about virtual memory. What I think is that he is trying to prevent a memory leak. – nom Jun 18 '15 at 23:07
  • @NabeelOmer I don't think so. I think me means the password is sensitive enough that an attacker might scan through all memory looking for it. So he needs to physically erase it as soon as he can. Java garbage collection can't be relied on to do this. See Lois's comment. – markspace Jun 18 '15 at 23:09
  • markspace is right, I need to override it asap. What I mean by virtual memory is the memory on a hard disk that the OS can use as swap space with RAM in order to offload memory usage. Essentially I want to prevent this passphrase from ever being written to some sort of more permanent storage. – Drew Jun 18 '15 at 23:18
  • But drew all the memory in userland is virtual memory, so there is no way you can stop the variable from _"being swapped to virtual memory"_. That phrase is axiomatically wrong. – nom Jun 18 '15 at 23:23

1 Answers1

0

What you need to do is: Use a char[] for storing the passwords. And when you are done with the password, just over write the array with 0's, so that if an attacker tries to scan all the memory to find the password, and Java GC has not gotten rid of the variable till then, the attacker will not be able to retrieve the password because you have over written the array itself.

Cheers.

Edit: When the kernel starts using the HDD to offload stress on the RAM, the space on the HDD acts like RAM, meaning that it does not permanently store the data given to it.

nom
  • 256
  • 3
  • 16
  • Right, I'm already using a `char[]` for the passphrase itself, I just want to prevent that bit being swapped by the OS to disk in the case to offload stress on the RAM. Apologies for my question not being clear I though this space on disk that the OS used was called virtual memory. – Drew Jun 18 '15 at 23:23
  • @Drew you cannot do that unless you write you own kernel. It totally depends on what the OS wants. – nom Jun 18 '15 at 23:24
  • 1
    It may be possible with writing a custom driver. – nom Jun 18 '15 at 23:25
  • @Drew even if the kernel puts your variable on the hard disk, and you use the same method, it won't make a difference, because the attacker won't be able to find your password. If my answer solves your problem, please mark it as the answer to your question. – nom Jun 18 '15 at 23:30
  • What is the reason this is impossible and why if a plain text password is on disk it is unreachable? I'd like to know – Drew Jun 18 '15 at 23:34
  • @Drew _"In computing, virtual memory is a memory management technique that is implemented using both hardware and software. It maps memory addresses used by a program, called virtual addresses, into physical addresses in computer memory. Main storage as seen by a process or task appears as a contiguous address space or collection of contiguous segments. The operating system manages virtual address spaces and the assignment of real memory to virtual memory. Address translation hardware in the CPU often referred to as a memory management unit or MMU"_ https://en.wikipedia.org/wiki/Virtual_memory – nom Jun 18 '15 at 23:44
  • 1
    @Drew because memory management is done by the OS you cannot do it from user land. I insist you read this article on Wikipedia and google _"UserMode and Kernel Mode"_ – nom Jun 18 '15 at 23:47
  • @Drew If my answer satisfies you, please mark it as answer. – nom Jun 18 '15 at 23:55
  • @Drew I don't believe this answer is correct. If memory is paged to disk and accessed again later, it is loaded back into memory and only edited there. There is no need to keep the copy on disk updated as well and the performance hit of doing so would be massive. So, unless something else gets swapped out and overwrites your password on disk, it'll stay around. And if your computer crashes right after the password is swapped to disk, all bets are off anyways. So, your original concern is absolutely valid and simply overwriting with zeros as suggested here is not sufficient. – Markus A. Apr 21 '18 at 14:35