Monday, December 29, 2014

Java Garbage Collection is Not Instant

So over the weekend I had some experiment with Java GC and decided to write something about it. I was just mingling around to prove that just because a Java object or variable is eligible for garbage collection does not mean it gets collected right away.

That momentary moment becomes a window of opportunity for a hacker/attacker to sniff into maybe a sensitive data from your application through a heap memory dump. 

To prove this, I created a simple console application for this experimentation.

1. Create Java program:

public class HelloWorld {
    private static void readData() {
        System.out.println("Enter password here : ");
        Scanner scanIn = new Scanner(System.in);
        char[] sesitiveData = scanIn.nextLine().toCharArray();
        scanIn.close();
    }

    public static void main(String[] args) throws Exception {

        readData();
        Thread.sleep(1000 * 3600);
    }
}