0

My application uses Google protocol buffers to send sensitive data between client and server instances. The network link is encrypted with SSL, so I'm not worried about eavesdroppers on the network. I am worried about the actual loading of sensitive data into the protobuf because of memory concerns explained in this SO question.

For example:

Login login = Login.newBuilder().setPassword(password)// problem
                                .build();

Is there no way to do this securely since protocol buffers are immutable?

Community
  • 1
  • 1
cilki
  • 125
  • 1
  • 13

1 Answers1

4

Protobuf does not provide any option to use char[] instead of String. On the contrary, Protobuf messages are intentionally designed to be fully immutable, which provides a different kind of security: you can share a single message instance between multiple sandboxed components of a program without worrying that one may modify the data in order to interfere with another.

In my personal opinion as a security engineer -- though others will disagree -- the "security" described in the SO question to which you link is security theater, not actually worth pursuing, for a number of reasons:

  1. If an attacker can read your process's memory, you've already lost. Even if you overwrite the secret's memory before discarding it, if the attacker reads your memory at the right time, they'll find the password. But, worse, if an attacker is in a position to read your process's memory, they're probably in a position to do much worse things than extract temporary passwords: they can probably extract long-lived secrets (e.g. your server's TLS private key), overwrite parts of memory to change your app's behavior, access any and all resources to which your app has access, etc. This simply isn't a problem that can be meaningfully addressed by zeroing certain fields after use.

  2. Realistically, there are too many ways that your secrets may be copied anyway, over which you have no control, making the whole exercise moot:

    • Even if you are careful, the garbage collector could have made copies of the secret while moving memory around, defeating the purpose. To avoid this you probably need to use a ByteBuffer backed by non-managed memory.
    • When reading the data into your process, it almost certainly passes through library code that doesn't overwrite its data in this way. For example, an InputStream may do internal buffering, and probably doesn't zero out its buffer afterwards.
    • The operating system may page your data out to swap space on disk at any time, and is not obliged to zero that data afterwards. So even if you zero out the memory, it may persist in swap. (Encrypting swap ensures that these secrets are effectively gone when the system shuts down, but doesn't necessarily protect against an attacker present on the local machine who is able to extract the swap encryption key out of the kernel.)
    • Etc.

So, in my opinion, using mutable objects in Java specifically to be able to overwrite secrets in this way is not a useful strategy. These threats need to be addressed elsewhere.

Kenton Varda
  • 41,353
  • 8
  • 121
  • 105
  • KeePass makes a thing about using Window's Data Protection API for protecting data in memory. I've no idea if DPAPI is actually any good or not (more theatre?). Any thoughts? – bazza Oct 03 '16 at 21:48
  • 1
    @bazza It's possible that I'm missing something, but AFAICT this primarily defends against offline attacks on swapped-out memory. Using encrypted swap would have the same effect. Online attacks could easily decrypt the memory since an online attacker (malicious process running under the same user account) can just call DPAPI itself to decrypt. – Kenton Varda Oct 04 '16 at 02:01
  • Hmm, having read more of http://keepass.info/help/base/security.html it seems that they're using it to store a key that is used to encrypt/decrypt in-memory data. So no, I don't think you've missed something, I've read too much into little bits and pieces I've seen elsewhere! Interesting comments on that page about the differences between Mono and Windows. – bazza Oct 04 '16 at 18:45