Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Password in the process memory but not in the heap dump

I've stumbled recently on a issue with java processes where one could use a tool like http://processhacker.sourceforge.net to inspect the memory of the runtime application. The tool - reveals the password used to authenticate in the application. I've investigate the issue and the password seems to zeroed out after it's used. I tried to do a heap dump using Java Mission Control (with GC disabled) and see if I can retrieve the passsword. Using the Eclipse Memory Tool I ran simple query like:

SELECT * FROM char[] c WHERE toString(c).startsWith("mypasswordsample")

But that did not yield any result, and the password was still visible in the process hacker after an hour or so. If I do the heap dump with the GC enabled - process hacker seems to no longer find the password.

What is doing JVM behind the scenes? Why I can't find the password in the live objects? Can I do some sort of dump to see where is this password stored, who created it and why wasn't zeroed out?

like image 848
Faur Ioan-Aurel Avatar asked Feb 29 '16 16:02

Faur Ioan-Aurel


People also ask

How do I get rid of heap dump on memory error?

In order to capture a heap dump automatically, we need to add the HeapDumpOnOutOfMemoryError command-line option that generates a heap dump when a java. lang. OutOfMemoryError is thrown.

How do I find a memory leak in heap dump?

To track down a memory leak, you'll need a "heap dump" with a summary of the live objects in a leaky process. To record a dump, first run jps to find the process's PID, then run jmap -dump:live,format=b,file=(dumpfile) (pid) .

What are unreachable objects in heap dump?

A heap dump can contain unreachable objects, e.g. objects which should be garbage collected but stay around for various reasons. Usually this is due to optimizations in the garbage collection algorithm. The Memory Analyzer removes these objects by default from the object graph.

What is memory heap dump?

A heap dump is a snapshot of all the objects that are in memory in the JVM at a certain moment. They are very useful to troubleshoot memory-leak problems and optimize memory usage in Java applications. Heap dumps are usually stored in binary format hprof files.


1 Answers

This is too specific to answer, but many passwords (particularly with JAAS) will use a character array instead of a String and explicitly zero out the characters after use. So if you got a heap dump while they were logging on you might see it; but if not, then you wouldn't. See the PasswordCallback from JAAS that uses this mechanism.

(An array of characters is used because an array is mutable; therefore you can go through afterwards and set each character to a space or \0 once it's been used to authenticate. That way even if the GC doesn't clean it up quickly, the contents of the memory shouldn't hold the data for snooping processes.

like image 103
AlBlue Avatar answered Sep 18 '22 08:09

AlBlue