java垃圾收集是否安全地清除了垃圾数据？ [英] does java garbage collection securely wipe out garbage data?

问题描述

这是一个内存数据安全问题。

Java垃圾回收是否安全地清理垃圾数据？

显然在大量数据垃圾收集，我无法再检索它，但是黑客仍然可以通过内存转储来检索数据吗？

用户在这里已经提到过，JVM在垃圾收集之后并不安全地清理内存，因为它会严重影响性能。这就是为什么许多程序（尤其是安全库）使用可变结构而不是不可变（char数组而不是字符串等），并在不再需要时自行清理数据。

不幸的是，即使这种方法并不总是奏效。让我们来看看这种情况：

1. 您创建一个带有密码的char数组。


2. JVM执行一个垃圾回收并将你的char数组移动到内存中的另一个地方，留下先前占用的内存，并将其标记为空闲块。所以，我们现在有一个你的密码的'脏副本'。


3. 你已经完成了你的密码处理工作，明确地清零了你的char数组中的所有字符，认为现在一切都安全了。 / li>
   
4. 在第2步之前，攻击者会将您的内存转储到第一次放置的内存中。

我只能想到这个问题的一种可能的解决方案：

1. 使用G1垃圾回收器。


2. 使您的敏感数据成为单个块（原始值数组），其大小足以占用G1所使用的区域大小的一半以上（默认情况下，此大小取决于最大值堆大小，但您也可以手动指定它）。这会迫使收藏家将您的数据视为所谓的大型对象。 G1 GC不会将这些对象移动到内存中。在这种情况下，当您手动删除块中的某些数据时，可以确保没有其他相同数据的脏拷贝存在于堆中的某处。

另一个解决方案是使用您可以手动处理的堆外数据，不会是纯Java的。

This is a memory data security question.
Does java garbage collection securely wipe out garbage data?

Apparently after a chunk of data is garbage-collected, I cannot retrieve it anymore, but can a hacker still memory-dump to retrieve the data?

解决方案

As other users already mentioned here, JVMs don't clean memory securely after garbage collection because it would affect performance badly. That's why many programs (especially security libraries) use mutable structures instead of immutable (char arrays instead of strings etc) and clean data themselves when they are no more needed.

Unfortunately, even such approach doesn't always work. Let's look at this scenario:

1. You create a char array with a password.
2. JVM performs a garbage collection and moves your char array to another place in the memory, leaving the memory previously occupied by it intact, just marking it as a free block. So, we now have a 'dirty copy' of your password.
3. You are done working with your password and explicitly zero all the characters in your char array thinking that everything is safe now.
4. An attacker makes a dump of your memory and finds your password in the memory where it was placed the first time, before step 2.

I can think of only one possible solution for this problem:

1. Use G1 garbage collector.
2. Make your sensitive data a single block (array of primitive values) that is large enough to occupy more than half of the region size, used by G1 (by default, this size depends on the maximum heap size, but you can also specify it manually). That would force the collector to treat your data as so called 'humongous object'. Such objects are not moved in memory by G1 GC.
3. In such case when you erase some data in your block manually, you can be sure that no other 'dirty copies' of the same data exist somewhere in the heap.

Another solution would be to use off-heap data that you can handle manually as you like, but that wouldn't be pure Java.

这篇关于java垃圾收集是否安全地清除了垃圾数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！