2

I made the mistake of storing a password as a String in a Java program. I would like to prevent this String password from appearing in a heap dump/memory dump. Ideally, I should have used a char[] and filled it with zero after use (as recommended by this article - https://nvisium.com/resources/blog/2016/03/31/secure-password-strings.html).

I read some SO posts and understood that strings are immutable and they cannot be overwritten. My question is - Is there no way to replace the contents of a string already created with zeroes?

Note: I cannot change my implementation to use a char[] now as I get this String from a module/library which returns a String.

MediumOne
  • 804
  • 3
  • 11
  • 28
  • The module returns a password as string? – smac89 Feb 16 '18 at 15:02
  • 2
    Possible duplicate of [effect of changing String using reflection](https://stackoverflow.com/questions/6932772/effect-of-changing-string-using-reflection) – phflack Feb 16 '18 at 15:08
  • If not using reflection, you may be able to use an outside program to wipe the memory containing the string – phflack Feb 16 '18 at 15:08
  • Not much hope, but a scrambled password in the String might provide some security. Maybe intercepting keyboard events for the login. – Joop Eggen Feb 16 '18 at 15:28
  • There may be something you can do with `Unsafe`, but it's...unsafe. I'd encourage you to look for a library that returns your secrets in a more preferred way since you'll get further and have more stable code than dinking around with components under the hood that we were very much not meant to. – Makoto Feb 16 '18 at 15:40
  • @smac89 It's a generic decryption API that returns the decrypted String. I happen to use it for a password. – MediumOne Feb 17 '18 at 10:35

1 Answers1

1

As strings are immutable the short answer is no, you can't overwrite the same memory area with zeros as you would in C or C++. What you can do is release any reference to that String and eventually the memory space will be released from the heap and will not appear in heap dumps. The problem is that the time of GC varies greatly and isn't much under your control.

You can ask for the system to GC but that doesn't guarantee it will do so. It is more of a hint. Additionally, even if a GC should occur, upon your prompting or on its own initiative, there is also no guarantee the the String will be collected during any particular GC run. This behavior can differ not only between JVM versions but within JVM versions that potentially use different GC schemes. You can set the scheme on the command line as an example:

-XX:-UseConcMarkSweepGC

In short the only sure-fire method is to prevent a password string from existing in memory to begin with.

I apologize in advance for the bummer of an answer.

sagneta
  • 1,546
  • 18
  • 26
  • I think it's less about being possible and more about not being as straightforward/easy – phflack Feb 16 '18 at 20:07
  • I have a question here. Even if the String is GCed, until the same memory location is rewritten with some other data, the String would still show up on a process level memory dump, right? So even a guaranteed Garbage Collection of the string is not going to help. Only zeroizing will prevent the string from showing up on a memory dump. Am I right with this understanding? – MediumOne Feb 17 '18 at 10:38
  • @MediumOne Most likely, but it may depend on the implementation of the JVM. [Looks like most don't zero the data](https://stackoverflow.com/a/38665842/5475891) – phflack Feb 22 '18 at 14:25