You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Hardcoding sensitive information, such as passwords, is an extremely dangerous practice. Doing so can have the following ominous effects:

  • The sensitive information can become accessible to whoever has access to the source code, for example, the developers.
  • Once the system goes into production, it can become unwieldy to manage and accommodate changes to the code. For instance, a change in password may need to be communicated using a patch [[Chess 07]].

  • In certain cases, it can also violate the fundamental principle of recalling the memory used to store the sensitive information as soon as the required operation has concluded. A carefully administered heap dump or application monitoring through a JVM debugger can expose the sensitive information if it persists over an extended period of time.
  • Malicious users may use decompilation techniques to resurrect the hardcoded sensitive information. This is a critical security vulnerability.

Noncompliant Code Example

This noncompliant code example uses a password field instantiated as a String.

class Hardcoded {
  String password = new String("guest");
  public static void main(String[] args) {
    //..
 }
}

Notably, when the password is no longer required, it is left at the mercy of the garbage collector. This is because String objects are immutable and continue to persist even after they are dereferenced, until the garbage collector performs its job.

Secondly, a malcious user can use the javap -c Hardcoded command to disassemble the class and uncover the hardcoded password. The output of the disassembler as shown below, makes available the password guest in cleartext.

Compiled from "Hardcoded.java"
class Hardcoded extends java.lang.Object{
java.lang.String password;

Hardcoded();
  Code:
   0:	aload_0
   1:	invokespecial	#1; //Method java/lang/Object."<init>":()V
   4:	aload_0
   5:	new	#2; //class java/lang/String
   8:	dup
   9:	ldc	#3; //String guest
   11:	invokespecial	#4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
   14:	putfield	#5; //Field password:Ljava/lang/String;
   17:	return

public static void main(java.lang.String[]);
  Code:
   0:	return

}

Compliant Solution

This compliant solution uses a char array to store the password after it is retrieved from an external file. The password is immediately cleared out after use. This limits the exposure time.

class Password {
  public static void main(String[] args) throws IOException {
    char[] password = new char[100];	
    BufferedReader br = new BufferedReader(new InputStreamReader(
      new FileInputStream("password.txt")));

    // reads the password into the char array, returns the number of bytes read 
    int n = br.read(password);  
    // decrypt password, perform operations
    for(int i= n - 1;i >= 0;i--)  // manually clear out the password immediately after use 
      password[i] = 0;	 
    br.close();
    }
}

Risk Assessment

Hardcoding sensitive information can lead to critical security vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC31- J

high

probable

medium

P12

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

References

[[Gong 03]] 9.4 Private Object State and Object Immutability
[[Chess 07]] 11.2 Outbound Passwords: Keep Passwords out of Source Code
[[MITRE 09]] CWE ID 259 "Hard-Coded Password"


MSC30-J. Generate truly random numbers      49. Miscellaneous (MSC)      MSC32-J. Prevent OS Command Injection

  • No labels