Menu
I have a question for the JVM internals experts over here.
In the Java Virtual Machine, objects contents are stored in heap memory until they are Garbage Collected. Usually, GC occurs when there is no more memory available, so if the JVM has a huge lot of available space there can be a long time before GC happens.
On a security point of view, can you imagine a way for someone to access the JVM memory and get a dump of the heap space where unused objects waiting for GC could be found ?
I mean: if my program handle sensitive data, and I code my app in a way that does not leave references to these sensitive objects after execution of the process involving them, can a malicious software or sysadmin get access to the heap space and analyze it to find these sensitive data ?
Does the use of Scala change anything in terms of memory management and Garbage Collection ?
796
In java, garbage means unreferenced objects. Garbage Collection is process of reclaiming the runtime unused memory automatically. In other words, it is a way to destroy the unused objects. To do so, we were using free() function in C language and delete() in C++.
The Java runtime environment deletes objects when it determines that they are no longer being used. This process is called garbage collection. An object is eligible for garbage collection when there are no more references to that object.
Java programmer are free from memory management. We cannot force the garbage collector to collect the garbage, it depends on the JVM. If the Heap Memory is full, the JVM will not allow to create a new object and shows an error java.
The admin of a system can certainly get access to the JVM memory. As a last resource, he/she could dump the JVM process memory and inspect that. You have to trust the platform you will be executing on, indeed.
You can reduce the time window in which such sensible data will be available unencrypted in memory by using char[] over String (which is immutable) and overwriting them with zeroes before leaving the scope in which you defined them, but there will be a timespan in which such data is available in cleartext.
At a lower level, you could encrypt memory, which will still leave an unencrypted key somewhere. You could also prevent memory pages from being swapped, which will not prevent dump anyway and could be a bad performance hit, if your application uses a relevant portion of RAM and the system isn't entirely devoted to it. Anyway, these solutions will only protect data at rest and, to my best knowledge, there is no JVM implementing them.
Using Scala will not change much, as this is a JVM specific issue, not related to what source language is compiled to bytecode.
128
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
