does java garbage collection securely wipe out garbage data?

Question

This is a memory data security question.
Does java garbage collection securely wipe out garbage data?

Apparently after a chunk of data is garbage-collected, I cannot retrieve it anymore, but can a hacker still memory-dump to retrieve the data?

Answer 1

As other users already mentioned here, JVMs don't clean memory securely after garbage collection because it would affect performance badly. That's why many programs (especially security libraries) use mutable structures instead of immutable (char arrays instead of strings etc) and clean data themselves when they are no more needed.

Unfortunately, even such approach doesn't always work. Let's look at this scenario:

1. You create a char array with a password.
2. JVM performs a garbage collection and moves your char array to another place in the memory, leaving the memory previously occupied by it intact, just marking it as a free block. So, we now have a 'dirty copy' of your password.
3. You are done working with your password and explicitly zero all the characters in your char array thinking that everything is safe now.
4. An attacker makes a dump of your memory and finds your password in the memory where it was placed the first time, before step 2.

I can think of only one possible solution for this problem:

1. Use G1 garbage collector.
2. Make your sensitive data a single block (array of primitive values) that is large enough to occupy more than half of the region size, used by G1 (by default, this size depends on the maximum heap size, but you can also specify it manually). That would force the collector to treat your data as so called 'humongous object'. Such objects are not moved in memory by G1 GC.
3. In such case when you erase some data in your block manually, you can be sure that no other 'dirty copies' of the same data exist somewhere in the heap.

Another solution would be to use off-heap data that you can handle manually as you like, but that wouldn't be pure Java.

Answer 2

This depends on the JVM implementation and possibly options within it but I would assume that it won't clear the data. Garbage collection needs only track which areas are available. Setting all of that data to 0 or something else is a lot of unecessary writes. It's for this reason you will often see APIs use a char array for passwords instead of Strings.