harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: Security
Date Sun, 03 Jul 2005 12:27:28 GMT
Neil Macneale wrote:
> Ben Laurie wrote:
>>So, it seems to me that when you say its easier to write secure code in
>>Java than C what you really mean is that its easier to write code free
>>of buffer overflows in Java than C.
>>I can't think of _any_ other interesting security properties that Java
>>has and C lacks. Am I missing something?
> It has generally been my experience that buffer overflows are not an
> issue in java code. Not because indexes are checked automatically, but
> more because the .length field is prevalently used. It is uncommon that
> I see IndexOutOfBoundsExceptions being thrown in my code, or the code I
> rely upon.
> Preventing buffer overflows is a commonly sighted advantage of java, but
> there are other advantages as well. There is a common architecture for
> signing and verification of code.

Woah. This doesn't provide security in any interesting sense. And PGP 
signatures on C source are just as good.

> The two JVMs I have installed return
> null when I attempt to get the signers of the String class. It would
> seem reasonable to me to have a hard coded public key in Harmony so we
> could verify the validity of the libs. These tools can also be used to
> seal jars, thus assuring that when someone downloads and installs a
> standard build of Harmony, they can be fairly certain that they didn't
> get an image with a back door built in. (Note this brings up a separate
> issue of having a SSL trusted host, but lets not go there yet.)

See above.

> Furthermore, by using the java.security package and it's friends we can
> be assured that our Java code is behaving correctly.

You can? How?

> If there is C code
> in the JVM which opens and writes to files, then we must manually check
> to see that the JVM has permission to do so. If the code is written in
> Java, then the SecurityManager class to takes care of that with no
> effort to the developer. This may be a double edged sword since
> developers who think "The SecurityManger will catch my bugs" are going
> to dig themselves into a hole. But it's better than the C model which is
> non-existant.

How hard is to write a wrapper for open() in C? Why is that different 
from using SecurityManager?

BTW, have you ever seen plash? 



 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

View raw message