Please use this identifier to cite or link to this item: http://hdl.handle.net/10125/41887

Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM

File SizeFormat 
paper0738.pdf1.29 MBAdobe PDFView/Open

Item Summary

Title: Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM
Authors: Pridgen, Adam
Garfinkel, Simson
Wallach, Dan
Keywords: Blackbox analysis
Java HotSpot JVM
TLS
Secure Memory Management
Garbage Collection
Issue Date: 04 Jan 2017
Abstract: Applications that manage \ sensitive secrets, including cryptographic keys, are typically \ engineered to overwrite the secrets in memory once they're no longer \ necessary, offering an important defense against forensic attacks \ against the computer. In a modern garbage-collected memory system, \ however, live objects will be copied and compacted into new memory \ pages, with the user program being unable to reach and zero out \ obsolete copies in old memory pages that have not yet \ been reused. This paper considers this problem in the HotSpot JVM, \ the default JVM used by the Oracle and OpenJDK Java platforms. \ We analyze the SerialGC and Garbage First Garbage Collector (G1GC) \ implementations, showing that sensitive data such as TLS keys are \ easily extracted from the garbage. To mitigate this issue, we \ implemented techniques to sanitize older heap pages and we measure \ the performance impact--sometimes good, sometimes unacceptable. We \ also discuss how future garbage collectors might be designed from \ scratch with efficient heap sanitation in mind. \
Pages/Duration: 10 pages
URI/DOI: http://hdl.handle.net/10125/41887
ISBN: 978-0-9981331-0-2
DOI: 10.24251/HICSS.2017.727
Rights: Attribution-NonCommercial-NoDerivatives 4.0 International
Appears in Collections:Cybersecurity and Software Assurance Minitrack



Items in ScholarSpace are protected by copyright, with all rights reserved, unless otherwise indicated.