Menu
I've stumbled recently on a issue with java processes where one could use a tool like http://processhacker.sourceforge.net to inspect the memory of the runtime application. The tool - reveals the password used to authenticate in the application. I've investigate the issue and the password seems to zeroed out after it's used. I tried to do a heap dump using Java Mission Control (with GC disabled) and see if I can retrieve the passsword. Using the Eclipse Memory Tool I ran simple query like:
SELECT * FROM char[] c WHERE toString(c).startsWith("mypasswordsample")
But that did not yield any result, and the password was still visible in the process hacker after an hour or so. If I do the heap dump with the GC enabled - process hacker seems to no longer find the password.
What is doing JVM behind the scenes? Why I can't find the password in the live objects? Can I do some sort of dump to see where is this password stored, who created it and why wasn't zeroed out?
848
In order to capture a heap dump automatically, we need to add the HeapDumpOnOutOfMemoryError command-line option that generates a heap dump when a java. lang. OutOfMemoryError is thrown.
To track down a memory leak, you'll need a "heap dump" with a summary of the live objects in a leaky process. To record a dump, first run jps to find the process's PID, then run jmap -dump:live,format=b,file=(dumpfile) (pid) .
A heap dump can contain unreachable objects, e.g. objects which should be garbage collected but stay around for various reasons. Usually this is due to optimizations in the garbage collection algorithm. The Memory Analyzer removes these objects by default from the object graph.
A heap dump is a snapshot of all the objects that are in memory in the JVM at a certain moment. They are very useful to troubleshoot memory-leak problems and optimize memory usage in Java applications. Heap dumps are usually stored in binary format hprof files.
This is too specific to answer, but many passwords (particularly with JAAS) will use a character array instead of a String and explicitly zero out the characters after use. So if you got a heap dump while they were logging on you might see it; but if not, then you wouldn't. See the PasswordCallback from JAAS that uses this mechanism.
(An array of characters is used because an array is mutable; therefore you can go through afterwards and set each character to a space or \0 once it's been used to authenticate. That way even if the GC doesn't clean it up quickly, the contents of the memory shouldn't hold the data for snooping processes.
103
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
