Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

26
  • 41
    If a process has access to memory of your application, then that is already a security breach, right? Commented Sep 1, 2015 at 11:26
  • 37
    @Yeti: Yes, but it's not like it's black and white. If they can only get a snapshot of the memory then you want to reduce how much damage that snapshot can do, or reduce the window during which a really serious snapshot can be taken. Commented Sep 1, 2015 at 11:47
  • 80
    A common attack method is to run a process that allocates lots of memory and then scans it for left-over, useful data like passwords. The process doesn't need any magical access to another process's memory space; it just relies on other processes dying without first clearing out sensitive data and the OS also not clearing memory (or page buffers) before making it available to a new process. Clearing out passwords stored in char[] locations cuts off that line of attack, something not possible when using String. Commented Sep 5, 2016 at 19:11
  • 26
    If OS does not clear memory before giving it to another process, the OS has major security issues! However, technically the clearing is often done with protected mode tricks and if the CPU is broken (e.g. Intel Meldown) it's still possible to read old memory contents. Commented Apr 21, 2020 at 7:33
  • 13
    @PrateekPande: It would only be in the literal pool if it were present in the source code, or explicitly interned. Those are both bad ideas in general... Commented Jan 10, 2021 at 12:35