WebApp Sec mailing list archives
Re: secure storage of sensitive data in J2EE
From: Olaf Reitmaier <olafrv () gmail com>
Date: Thu, 10 Feb 2005 01:10:58 -0400
I think reading the #1 link below that gc() would collect the insecure string you want to collect, like in "How gc works(...) The documentation states that this call sets a flag suggesting that a GC might be run if the JVM is so inclined. What the System.gc() call actually does is this: if a GC cycle is running at the the time of a call, then ignore the call; otherwise, initiate a full GC cycle. This means that every time (or 99.9 percent of the time) you call System.gc(), you initiate a full GC cycle." 1. Gems from e-BIT: Living with the Garbage Collector (Understanding) http://www-106.ibm.com/developerworks/ibm/library/j-jtctips/j-jtc0117b.html 2. Forcing garbage collection (An opinion as not works fine!!!) http://www.artima.com/legacy/answers/May2000/messages/217.html 3. Forcing Finalization and Garbage Collection (Java perspective) http://www.science.uva.nl/ict/ossdocs/java/tutorial/java/system/garbage.html 4. Cleaning Up Unused Objects (Java perspective) http://www.science.uva.nl/ict/ossdocs/java/tutorial/java/javaOO/garbagecollection.html On Thu, 10 Feb 2005 14:12:02 +1100, Michael Silk <michaelsilk () gmail com> wrote:
Michael, What is some example implementations of the usage of SecureString? To store a CC coming from a submission? Surely it could be tracked as it's coming in (browser -> server -> [ here ! ] -> your code), in that case. To store a password? Where does the password initially come from? and where does it get used? do other API's take a SecureString and _never_ realise it into a common string form? It seems the weak link in the chain would break this one, ... or am I missing something :) ? Further, on what basis is it encrypted? Under the user that is running the code? As such, wouldn't any other (malicious) .net code be running under the same privileges and hence be able to decrypt it? -- Michael Silk-----Original Message----- From: Michael Howard [mailto:mikehow () microsoft com] Sent: Thursday, 10 February 2005 10:15 AM To: Benjamin Livshits; chaim moshe; webappsec () securityfocus com Subject: RE: secure storage of sensitive data in J2EE I know this is not J2EE, but in .NET Framework, we added a SecureString class that: 1) is automatically encrypted in memory (to mitigate the paged-out-data threat) 2) is cleared when the string is no longer used 3) is GC'd rapidly
-- ----------------------------------------------------------------------- Olaf Reitmaier Veracierta <olafrv () gmail com> Estudiante de Ing. Computación Universidad Simón Bolívar Linux User #: 264681 -----------------------------------------------------------------------
Current thread:
- Re: secure storage of sensitive data in J2EE, (continued)
- Re: secure storage of sensitive data in J2EE Nick Seward (Feb 09)
- Re: secure storage of sensitive data in J2EE Randy (Feb 09)
- Re: secure storage of sensitive data in J2EE Nick Seward (Feb 09)
- Re: secure storage of sensitive data in J2EE Alexander Klimov (Feb 10)
- Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
- Re: secure storage of sensitive data in J2EE Olaf Reitmaier (Feb 09)
- Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
- Re: secure storage of sensitive data in J2EE Michael Silk (Feb 09)
- Re: secure storage of sensitive data in J2EE exon (Feb 10)
- Re: secure storage of sensitive data in J2EE exon (Feb 14)