using byte[] leads to (multiple) copies of secret material remaining in the clear in RAM

mimiclone / fips203-java

Java-based implementation of the NIST FIPS-203 Standard (Module-Lattice Key-Encapsulation Mechanism)

MIT License

5 stars 0 forks source link

using byte[] leads to (multiple) copies of secret material remaining in the clear in RAM #1

Open andy-goryachev opened 2 weeks ago

andy-goryachev commented 2 weeks ago

An attacker who gets access to a memory dump or an unencrypted swap file may obtain secret material.

mimiclone-james commented 2 weeks ago

Great point @andy-goryachev. I see you are fan of DirectByteBuffer, although I've seen some issues with those as well. If we ensure that every method which allocates a byte array zeros out all of the bytes prior to method termination, would you consider that sufficient protection for those values?

This has already been done for a few specific values that the standard marks as "secret", but we can easily update things to do this everywhere.

andy-goryachev commented 2 weeks ago

no: GC can make copies.

As you pointed out, I did try to use DirectBuffer (https://github.com/andy-goryachev/MemSafeCrypto) with some moderate performance hit obviously; perhaps Panama FFM and its MemorySegment will be faster. I think it's been released in JDK22 (https://openjdk.org/jeps/454).

mimiclone-james commented 2 weeks ago

For the time being @andy-goryachev , I am adding code to explicitly zero out intermediate values after last use during processing. Will take another look at this when JDK 25 comes out to see if there are more options, because I'm only targeting LTS releases.