Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can someone steal a password from a Java application?

Suppose there is a String variable that holds a plain text password.

Is there any possibility of reading this password using a memory dump. (Suppose using cheat engine.) I am puzzled with this JVM thing. Does JVM provide some sort of protection against this. If no what are the practices that I need to use to avoid such "stealing".

A practical threat would be a Trojan; that sends the segments of the memory dump to an external party.

like image 251
Chathuranga Chandrasekara Avatar asked Oct 02 '09 08:10

Chathuranga Chandrasekara


5 Answers

As already noted, yes, anybody can extract the password, in various ways. Encrypting the password won't really help -- if it's decrypted by the application, then the decrypted form will also be present at some point, plus the decryption key (or code) itself becomes a vulnerability. If it's sent somewhere else in encrypted form, then just knowing the encrypted form is enough to spoof the transaction, so that doesn't help much either.

Basically, as long as the "attacker" is also the "sender", you're eventually going to get cracked -- this is why the music and video industries can't get DRM to work.

I suggest you pick up a copy of Applied Cryptography and read the first section, "Cryptographic Protocols". Even without getting into the mathematics of the actual crypto, this will give you a good overview of all sorts of design patterns in this area.

like image 107
David Moles Avatar answered Nov 12 '22 17:11

David Moles


If you keep the password in plain text in your application then someone can read it by playing with memory dumps regardless of the language or runtime you use.

To reduce the chance of this happening only keep the password in plain text when you really need to, then dump or encrypt it. One thing to note here is that JPasswordField returns a char[] rather than a string. This is because you have no control over when the String will vanish. While you also have no control over when a char[] will vanish you can fill it with junk when you are done with the password.

I say reduce as this will not stop someone. As long as the password is in memory it can be recovered, and as the decryption has to also be part of the deliverable it too could be cracked leaving your password wide open.

like image 42
Michael Lloyd Lee mlk Avatar answered Nov 12 '22 16:11

Michael Lloyd Lee mlk


This has nothing to do with Java - the exact same problem (if it really is one) exists for applications written in any language:

  • If the executable contains a password, no matter how obfuscated or encrypted, everyone who has access to the executable can find out the password.
  • If an application knows a password or key temporarily (e.g. as part of an network authentication protocol) then anyone who can observe the memory the application is executing in can find out the password.

The latter is usually not considered a problem, since a modern OS does not allow arbitrary applications to observe each other's memory, and privilege escalation attacks typically rely on different vectors of attack.

like image 4
Michael Borgwardt Avatar answered Nov 12 '22 18:11

Michael Borgwardt


If the program knows the password, anybody using the program can extract the password.

like image 2
Sjoerd Avatar answered Nov 12 '22 18:11

Sjoerd


In theory you could just hook it up to the debugger... set a breakpoint...and read the string contents

like image 2
Toad Avatar answered Nov 12 '22 17:11

Toad