Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM

Applications that manage sensitive secrets, including cryptographic keys, are typically engineered to overwrite the secrets in memory once they’re no longer necessary, offering an important defense against forensic attacks against the computer. In a modern garbagecollected memory system, however, live objects will be copied and compacted into new memory pages, with the user program being unable to reach and zero out obsolete copies in old memory pages that have not yet been reused. This paper considers this problem in the HotSpot JVM, the default JVM used by the Oracle and OpenJDK Java platforms. We analyze the SerialGC and Garbage First Garbage Collector (G1GC) implementations, showing that sensitive data such as TLS keys are easily extracted from the garbage. To mitigate this issue, we implemented techniques to sanitize older heap pages and we measure the performance impact– sometimes good, sometimes unacceptable. We also discuss how future garbage collectors might be designed from scratch with efficient heap sanitation in mind.