Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: secure storage of sensitive data in J2EE

from [Olaf Reitmaier] Network Security [Permanent Link]
Subject: Re: secure storage of sensitive data in J2EE
Date: Thu, 10 Feb 2005 01:10:58 -0400 
I think reading the #1 link below that gc() would collect the insecure
string you want to collect, like in "How gc works(...) The
documentation states that this call sets a flag suggesting that a GC
might be run if the JVM is so inclined. What the System.gc() call
actually does is this: if a GC cycle is running at the the time of a
call, then ignore the call; otherwise, initiate a full GC cycle. This
means that every time (or 99.9 percent of the time) you call
System.gc(), you initiate a full GC cycle."

1. Gems from e-BIT: Living with the Garbage Collector (Understanding)
http://www-106.ibm.com/developerworks/ibm/library/j-jtctips/j-jtc0117b.html

2. Forcing garbage collection (An opinion as not works fine!!!)
http://www.artima.com/legacy/answers/May2000/messages/217.html

3. Forcing Finalization and Garbage Collection (Java perspective)
http://www.science.uva.nl/ict/ossdocs/java/tutorial/java/system/garbage.html

4. Cleaning Up Unused Objects (Java perspective)
http://www.science.uva.nl/ict/ossdocs/java/tutorial/java/javaOO/garbagecollection.html


On Thu, 10 Feb 2005 14:12:02 +1100, Michael Silk <michaelsilk@gmail.com> wrote:

Michael,

What is some example implementations of the usage of SecureString?

To store a CC coming from a submission? Surely it could be tracked as
it's coming in (browser -> server -> [ here ! ] -> your code), in that
case.

To store a password? Where does the password initially come from? and
where does it get used? do other API's take a SecureString and _never_
realise it into a common string form?

It seems the weak link in the chain would break this one, ... or am I
missing something :) ?

Further, on what basis is it encrypted? Under the user that is running
the code? As such, wouldn't any other (malicious) .net code be running
under the same privileges and hence be able to decrypt it?

-- Michael Silk



-----Original Message-----
From: Michael Howard [mailto:mikehow@microsoft.com]
Sent: Thursday, 10 February 2005 10:15 AM
To: Benjamin Livshits; chaim moshe; webappsec@securityfocus.com
Subject: RE: secure storage of sensitive data in J2EE

I know this is not J2EE, but in .NET Framework, we added a
SecureString class that:

1) is automatically encrypted in memory (to mitigate the
paged-out-data
threat)
2) is cleared when the string is no longer used
3) is GC'd rapidly





-- 
-----------------------------------------------------------------------
  Olaf Reitmaier Veracierta <olafrv@gmail.com>
  Estudiante de Ing. Computación
  Universidad Simón Bolívar
  Linux User #: 264681
-----------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: secure storage of sensitive data in J2EE, Olaf Reitmaier
Next by Date:  RE: secure storage of sensitive data in J2EE, Michael Howard
Previous by Thread:  RE: secure storage of sensitive data in J2EE, Michael Silk
Next by Thread:  Re: secure storage of sensitive data in J2EE, Olaf Reitmaier
Indexes:  [Date] [Thread] [Top] [All Lists]