JavaOne 2016 - JVM assisted sensitive data
•Télécharger en tant que PPTX, PDF•
0 j'aime•447 vues
Explain sensitive data, why this can be an issue and provide some simple techniques to improve your application. Also explain how the GC creates copies of your data and propose a solution for this issue.
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (15)
Similaire à JavaOne 2016 - JVM assisted sensitive data
Similaire à JavaOne 2016 - JVM assisted sensitive data (20)
Dernier
Dernier (20)
JavaOne 2016 - JVM assisted sensitive data
- 1. JVM Assisted Clearing of Sensitive Data Charlie Gracie Advisory Software Developer IBM Runtime Technologies September 21, 2016
- 2. 2 • Software developer at IBM on the J9 Java VM since 2004 • Garbage collection architect • Also a project lead on the Eclipse OMR project – https://github.com/eclipse/omr – https://eclipse.org/omr Who am I
- 4. 4 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. Sensitive data
- 5. 5 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. • Encryption keys, certificates, etc. Sensitive data
- 6. 6 • Sensitive Personal Information (SPI) – SIN, passwords, credit card numbers, etc. • Encryption keys, certificates, etc. • Other confidential data Sensitive data
- 7. 7 How is this a problem?
- 8. 8 • Attacks like heart bleed How is this a problem?
- 9. 9 • Attacks like heart bleed • Transmitting diagnostic files for support How is this a problem?
- 10. 10 • Attacks like heart bleed • Transmitting diagnostic files for support # An unexpected error has been detected by HotSpot Virtual Machine: # # SIGSEGV (0xb) at pc=0x417789d7, pid=21139, tid=1024 # # Java VM: Java HotSpot(TM) Server VM (6-beta2-b63 mixed mode) # Problematic frame: # C [libApplication.so+0x9d7] How is this a problem?
- 11. 11 • Attacks like heart bleed • Transmitting diagnostic files for support • Running monitoring tools How is this a problem?
- 12. 12 • Do not store sensitive data on the heap Solution
- 13. 13 • Do not store sensitive data on the heap • Limit the time it is on the heap • Use char[] instead of Strings • Hash char[] data so it isn’t in clear text Best practices
- 14. 14 • Do not rely on the GC – Data may still be present hours after it is no longer used! • Arrays.fill(user.password, 0); • user.SIN = 0; Clear the data yourself
- 15. 15 • Strings are immutable in Java • Strings could be cached in the intern() list • JPasswordField getPassword() returns char[] • Exceptions/logging may print Object.toString – A string will print its contents – A char[] will print the memory location Use char[] instead Strings
- 16. 16 • Hash the char[] data as soon as possible – No clear text on the heap • This adds another level of protection Hash char[] data
- 17. 17 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
- 18. 18 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
- 19. 19 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
- 20. 20 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero out the hashed password, for security. Arrays.fill(password, '0');
- 21. 21 Example to handle passwords String username = usernameField.getText(); char[] password = passwordField.getPassword(); // Hash the password in place in the array secureHash(password); // Check to see if the username / password combo are valid bool isValidLogin = isPasswordCorrect(username, password); // Zero the hashed password Arrays.fill(password, '0');
- 22. 22 • Can I still find the data after you clear it? Is that enough?
- 23. 23 • Can I still find the data after you clear it? • Yes, it is possible! Is that enough?
- 24. 24 1. Perform a copy collection in the young generation 2. Defragment the tenure area GC object movement
- 30. 30 • Provide new APIs to create sensitive objects • After object movement the GC will clear the old locations – Only for sensitive objects • On object death the GC could clear the data – This would likely be an optional feature – You still should clear it yourself • Tooling can be provided to clean diagnostic files My proposal
- 31. 31 • Provide a set of APIs for allocating sensitive objects • Provide an API for converting an object to a sensitive object • Provide an API to clear the object New APIs
- 32. 32 • APIs should be implementable by all JVMs – JVM is free to track objects in the most efficient way for that JVM • No API to query the list of sensitive objects • No API to make a sensitive object not sensitive SensitiveObjects
- 33. 33 • Allocation 1. Array.newSensitiveInstance(Class<?> componentType, int length) 2. Array.newSensitiveInstance(Class<?> componentType, int… dimensions) 3. Class.newSenstiveInstance() 4. Constructor.newSensitiveInstance(Object… initArgs) New APIs
- 34. 34 • Converting and clearing 1. SensitiveObject.convertToSensitiveInstance(Object object) 2. SensitiveObject.clearData(Object object) New APIs
- 35. 35 • Small cost per object that is moved – Need to clear the data – JVMs already use very optimized versions of memory clearing • Clearing dead objects – Likely causes extra list management for sensitive objects – Forces the GC to visit dead objects • Overhead at allocation time – GC has to mark this object as sensitive GC cost for sensitive objects
- 36. 36 • Clean sensitive objects when creating the files • Post process the files to clean sensitive data Diagnostic files
- 37. 37 • Create a JSR/JEP for the proposal • Get feedback from you the developers Next steps
- 38. 38 • Limit the time sensitive data is on the heap • Do not store sensitive data in String objects • Hash or obfuscate the data when possible • Think about my proposal and provide feedback Points to takeaway
- 39. Thank You! Charlie Gracie| cgracie@ca.ibm.com | @crgracie
Notes de l'éditeur
- So my talk was titled JVM assisted clearing of sensitive data. So what do I mean by sensitive data
- Then you have sensitive data for your application like encryption keys, a reference to a company issued certificate which has not been signed, etc.
- Or any other confidential data used by your application.
- As a developer you may be wondering why there is a problem with having this data persist in the Java heap We are behind our company firewall No one has access to our machines, or privileges to access the memory for these processes.
- Heart bleed could be used to gather a very accurate picture of memory and was used to get usernames and passwords very effectively
- If you are running in the JVM and it crashes you will likely upload a system core file to be inspected. Now your memory dump is escaping your protected systems
- If you have ever seen a message like this you may have compromised your sensitive data. Now that the JVM has crash the memory has been written to disk. This already may have allowed someone to get access to the data but if you transmit the file to the JVM developers for inspection you are opening up the data for all sorts of attacks.
- You may be using an external tool for performance analysis which again is allowing your data to escape. Now hopefully I have convinced that this is something you as a developer needs to be concerned with what is my solution?
- The only way to keep this data completely safe is to never use it But that is not really a feasible solution. The data needs to be used so here are some current best practices for keeping your sensitive data secure
- You want to limit the time this data is actually on the heap. Clear the memory by writing zeros or some data pattern as soon as you are finished with it Hashing the string data will make it harder to get the actual password if the data is compromised
- How many people here know how the GC algorithms in the JVM work in general? None of the JVM GCs rely on reference counting (like c python, etc.) so objects are not collected immediately when they are no longer used. Objects will collected at some point after they are no longer used when the GC needs to reclaim memory. This may happening quickly after the object is no longer used but even so the data will still be visible in the heap until the memory is re-used
- You can not clear the data for a String. All of the APIs to get access to the char[] of a String actually copy the data into a new char[] JPasswordField getPassword() returns a char[] instead of a String for this very reason. There is an API to get the password as a String but it is not the recommended API Interoperability with libraries expecting a String Convert the char[] to a String as late as possible Do the best you can
- For values like a SIN you could obfuscate
- Code from https://nvisium.com/blog/2016/03/31/secure-password-strings/
- Code from https://nvisium.com/blog/2016/03/31/secure-password-strings/
- Code from https://nvisium.com/blog/2016/03/31/secure-password-strings/
- Code from https://nvisium.com/blog/2016/03/31/secure-password-strings/
- Code from https://nvisium.com/blog/2016/03/31/secure-password-strings/
- The steps above can really help limit the scope and visibility of your sensitive data but it is enough to make sure this data does not escape. Can you still find your data on the heap after you zero it?
- Yes it is possible. I am not talking about using any advanced forensic tools but just through simple visual inspection of the heap. Modern GC implementations move objects within the heap all of the time and leaving the old copies laying around.
- The GC will try to avoid visiting or writing any data that it does not have to, to dead objects.
- So assume this is what the heap looks like before a compaction. The dark blue is live objects and the light blue is free memory or dead objects This is pretty fragmented so the GC may decide to compact all of the live objects together so it has large blocks of free memory But before I move on to show you what the heap may look like after the compaction lets place an object containing sensitive data on the heap
- So here we have your sensitive object in red as the last live object on the heap
- Now we have performed the compaction and created on large free list entry. Lets assume the compactor just slides objects to the left during compaction. This is a simple form of compaction but even the most complicate compactor will likely still have the same issue That means it moved a lot of objects to new locations on the heap. By doing this some of the original object locations were overwritten but as you move further to the right the original locations are not just considered free memory and almost certainly have not been overwritten
- So we can see your object containing the users password moved to its new location
- But the data at the old location is almost certainly intact So at this point if you finished with your data and cleared it there is still technically a copy on the heap that you are not aware of. With more sophisticated GC technologies like the balanced GC in the IBM JDK or G1 in OpenJDK there are many more frequent scenarios where the GC will leave old copies of the data around for an undetermined amount of time There may be situations where the memory for an old copy of some of your sensitive data never gets re-used by the JVM process. The problem with these copies of the object are you can not predict or know that they are there. This makes it almost impossible for a java developer to improve the situation
- I believe the APIs for allocating are the most important since you want to ensure that there is no window for the GC to leave a copy of the object around once the data has been initialized
- After lots of investigation I settled on adding new APIs to resemble the currently APIs on Array, Class and Constructor for allocating new instances. I investigating using a new class that you could inherit but that meant you would not be able to easily handle primitive arrays and I think those will be the most common uses. Another thought was to create a new variant of the new keyword but I am not sure such a large change is required for this idea. I also played around with annotating fields and locals but I think that would make it much harder for the JVM to optimize Using these APIs will be more work for the developer but I think the tradeoff will be worth it.
- You may not always be in control of the allocation point so you may need to tell the GC to track an object after it is allocated. This is not ideal but it is here to shorten the window where the GC would create copies I am suggesting a clearData method as well to make it easier for the developer. The JVM has very optimized versions of code already for handling this operation so lets take advantage of it
- Earlier I mentioned that diagnostic files are one way sensitive data can escape your secure systems. JVMs implementing my proposed sensitive data object model could provide ways to clean this data from their diagnostic files If possible during the creation of the files they could clean the data. This may not always be possible in cases where the JVM is crashing so a post process tool could be created that you run on your system to clear the data before you send it
- Over the coming weeks I am going to start a dialog with the OpenJDK community to see if I can get an accepted proposal for this idea. Currently if you have any feedback or ideas find me here over the next few days or contact me via email.
- As developers we believe and trust that the systems our code runs on are secure but we need to spend the time to make sure we are doing as much as we can to make the likelihood of a leak as small as possible Really try to limit the time that sensitive data is actually alive and available on the heap. Do not rely on current GC technology to clean up your data for you. GCs are unpredictable and I have shown that they can actually create more copies of your sensitive data. I think the JVM needs to help keep sensitive data secure. I have my proposal on an improvement but your feedback and suggestions can help ensure we come up with the best solution.