堆检查安全漏洞 [英] Heap Inspection Security Vulnerability

问题描述

我针对安全漏洞针对checkmarx工具运行了我的java应用程序，并且它经常出现问题 - 堆检查，对于我使用字符数组的密码字段。除了指出密码字段的声明之外，它没有给出任何解释。

I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out the declaration of the password field.

private char[] passwordLength;

任何人都可以帮我解决这个问题，还有什么可以解决这个问题吗？

Could anyone help me out here, what more can I look for resolving this?

推荐答案

堆检查是关于未加密的机器内存中存储的敏感信息，因此如果攻击者执行内存转储（例如，Heartbleed错误） ，这些信息受到了损害。因此，简单地保存该信息会使其易受攻击。

Heap Inspection is about sensitive information stored in the machine memory unencrypted, so that if an attacker performs a memory dump (for example, the Heartbleed bug), that information is compromised. Thus, simply holding that information makes it vulnerable.

可以通过以安全的方式存储此类敏感信息来缓解这种情况，例如GuardedString对象而不是String或char数组，或加密它并擦除之后的原始短消息。

One can mitigate this by storing such sensitive information in a secured manner, such as a GuardedString object instead of a String or a char array, or encrypting it and scrubbing the original short after.

有关详细信息，请参阅此CWE （描述C / C ++但与Java相同）。

For more information, see this CWE (describes C/C++ but same relevancy for Java).

这篇关于堆检查安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！