Please use this identifier to cite or link to this item:

Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM

File Size Format  
paper0738.pdf 1.29 MB Adobe PDF View/Open

Item Summary

Title:Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM
Authors:Pridgen, Adam
Garfinkel, Simson
Wallach, Dan
Keywords:Blackbox analysis
Java HotSpot JVM
Secure Memory Management
Garbage Collection
Date Issued:04 Jan 2017
Abstract:Applications that manage \ sensitive secrets, including cryptographic keys, are typically \ engineered to overwrite the secrets in memory once they're no longer \ necessary, offering an important defense against forensic attacks \ against the computer. In a modern garbage-collected memory system, \ however, live objects will be copied and compacted into new memory \ pages, with the user program being unable to reach and zero out \ obsolete copies in old memory pages that have not yet \ been reused. This paper considers this problem in the HotSpot JVM, \ the default JVM used by the Oracle and OpenJDK Java platforms. \ We analyze the SerialGC and Garbage First Garbage Collector (G1GC) \ implementations, showing that sensitive data such as TLS keys are \ easily extracted from the garbage. To mitigate this issue, we \ implemented techniques to sanitize older heap pages and we measure \ the performance impact--sometimes good, sometimes unacceptable. We \ also discuss how future garbage collectors might be designed from \ scratch with efficient heap sanitation in mind. \
Pages/Duration:10 pages
Rights:Attribution-NonCommercial-NoDerivatives 4.0 International
Appears in Collections: Cybersecurity and Software Assurance Minitrack

Please email if you need this content in ADA-compliant format.

This item is licensed under a Creative Commons License Creative Commons