Geek Answers Handbook

Type Configuration: Encrypt / Obfuscate Sensitive Values ​​in Memory

I have an Akka project that requires several passwords: for access to the data store, to the connection string of a distributed file system ...

These values ​​are not hardcoded in the configuration file, but rather are pulled out of the keystore at runtime during application startup, and then stored in memory as a configuration object, since third parties use this configuration to obtain a password and open a connection.

I'm just wondering, somehow it’s risky, since I assume that the lines will be in clear memory. Is there a way to transparently obfuscate / encrypt values? Or I need to implement it on my side and update third parties so that they transform the string before the connections actually open.

+7
java scala typesafe-config
source share
2 answers

In my opinion, in almost all applications there is a security risk that you should not worry about. Because Scala runs on the JVM, see Sensitive in-memory data .

+4
source share

You can try to use sun.misc.Unsafe to clear the memory immediately after using the password:

String password = new String(" l00k@myHor $e"); String fake = new String(password.replaceAll(".", "?")); System.out.println(password); // l00k@myHor $e System.out.println(fake); // ???????????? getUnsafe().copyMemory( fake, 0L, null, toAddress(password), sizeOf(password)); System.out.println(password); // ???????????? System.out.println(fake); // ????????????

or through reflection:

 Field stringValue = String.class.getDeclaredField("value"); stringValue.setAccessible(true); char[] mem = (char[]) stringValue.get(password); for (int i=0; i < mem.length; i++) { mem[i] = '?'; }

http://mishadoff.com/blog/java-magic-part-4-sun-dot-misc-dot-unsafe/

0
source share

More articles:


All Articles