内存中的敏感数据 [英] Sensitive Data In Memory

问题描述

我正在使用Java密码管理器，在从文件解密后，我现在拥有所有用户的所有数据，一直坐在内存中，并以String的形式清楚地存储在UI等中显示.

I'm working on a Java password manager and I currently have all of the user's data, after being decrypted from a file, sitting around in memory at all times and stored plainly as a String for displaying in the UI etc.

这是否以某种方式存在安全风险?我特别担心有人以某种方式倾销"或读取计算机的内存并找到用户的裸露数据.

Is this a security risk in any way? I'm particularly concerned with someone "dumping" or reading the computer's memory in some way and finding a user's naked data.

我已经考虑过对所有敏感数据(密码)进行加密，并且仅根据需要解密每个数据，然后销毁...……但我宁愿不去研究并在迷信中更改很多代码. /p>

I've considered keeping all sensitive pieces of data (the passwords) encrypted and only decrypting each piece as needed and destroying thereafter... but I'd rather not go through and change a lot of code on a superstition.

推荐答案

如果您的对手有能力在目标计算机上运行任意代码(具有转储过程映像所需的调试特权)，那么您将无所适从

If your adversary has the ability to run arbitrary code on your target machine (with the debug privileges required to dump a process image), you are all sorts of screwed.

如果您的对手有能力准确地在远处读取内存(即 TEMPEST ) ，您各种各样的想法.

If your adversary has the ability to read memory at a distance accurately (ie. TEMPEST), you are all sorts of screwed.

保护传输和存储中的数据(在线和磁盘上)，但是不必担心*内存中的数据.

Protect the data in transit and in storage (on the wire and on the disk), but don't worry* about data in memory.

_{*好，有些类程序需要担心. 99.99％的应用程序不这样做，我敢打赌您的应用程序不是.}

这篇关于内存中的敏感数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！