harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neil Macneale <mac4-harm...@theory.org>
Subject Re: Security
Date Fri, 01 Jul 2005 17:50:38 GMT


Ben Laurie wrote:
> So, it seems to me that when you say its easier to write secure code in
> Java than C what you really mean is that its easier to write code free
> of buffer overflows in Java than C.
> 
> I can't think of _any_ other interesting security properties that Java
> has and C lacks. Am I missing something?

It has generally been my experience that buffer overflows are not an
issue in java code. Not because indexes are checked automatically, but
more because the .length field is prevalently used. It is uncommon that
I see IndexOutOfBoundsExceptions being thrown in my code, or the code I
rely upon.

Preventing buffer overflows is a commonly sighted advantage of java, but
there are other advantages as well. There is a common architecture for
signing and verification of code.  The two JVMs I have installed return
null when I attempt to get the signers of the String class. It would
seem reasonable to me to have a hard coded public key in Harmony so we
could verify the validity of the libs. These tools can also be used to
seal jars, thus assuring that when someone downloads and installs a
standard build of Harmony, they can be fairly certain that they didn't
get an image with a back door built in. (Note this brings up a separate
issue of having a SSL trusted host, but lets not go there yet.)

Furthermore, by using the java.security package and it's friends we can
be assured that our Java code is behaving correctly. If there is C code
in the JVM which opens and writes to files, then we must manually check
to see that the JVM has permission to do so. If the code is written in
Java, then the SecurityManager class to takes care of that with no
effort to the developer. This may be a double edged sword since
developers who think "The SecurityManger will catch my bugs" are going
to dig themselves into a hole. But it's better than the C model which is
non-existant.

Neil

Mime
View raw message