Slashdot Mirror

← Back to Stories (view on slashdot.org)

Don Box: Huge Security Holes in Solaris, JVM

Posted by timothy on from the so-this-pot-and-kettle-are-in-a-coal-mine-at-night dept.

DaHat writes "Don Box, one of the authors of the original SOAP specification in 1998, now an architect on Microsoft's next generation Indigo platform recently responded to James Gosling's remarks regarding huge security holes within the .NET Common Language Runtime (CLR). Don argues that the same 'flaws' that Gosling noted in the .NET CLR exist both within the Solaris operating system as well as the JVM, both of which support execution of C and C++ code, as well as explaining why this is not necessarily a bad thing."

9 of 226 comments (clear)

  1. I don't think anyone really read what Gosling said by Anonymous Coward · · Score: 5, Interesting

    Are we just going to have this continuing debate in which every side is inaccurately reduced to one slashdot-blurb-sized sound bite?

    Anyway, JNI doesn't need to be a security hole of the sort Mr. Box mentions; one can concieve of a Java VM which disallows unsafe JNI code from touching the memory of the bytecode-verified safe code, by partitioning JNI execution into a separate process. In fact at least one such JVM implementation exists already.

  2. Re:Flaws aren't a bad thing? by Rosco+P.+Coltrane · · Score: 5, Funny

    I can see it now..."Bugs deserve rights too!"

    Well, ask the original bug at NSWC if it enjoys being taped to a cardboard note since 1947...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. here we go again.... by kevinx · · Score: 5, Funny

    is this one of those, "your hole is bigger than mine" arguments?

  4. FUD by micromuncher · · Score: 5, Informative

    To use JNI inside of an applet, it needs to be signed with the DLL/shared library pre-installed in lib. So, the topic of "Huge Security Hole in Solaris and JVM" is alarmist and FUD, considering that to get outside of the sandbox, you need to jump through serious configuration hoops.

    --
    /\/\icro/\/\uncher
  5. This just in! by kiwidefunkt · · Score: 5, Funny

    This just in: Programming languages are insecure. They allow third parties to run arbitrary code on your processor.

    Microsoft will be releasing a patch which fixes this problem soon. Stay tuned.

    --
    www.kiwilyrics.com - a wiki for lyrics
  6. Why "managed" == "denial" by Concern · · Score: 5, Insightful

    When .NET was first announced and the details began to be known, there were a number of lively discussions here about it. The "feature" of running unmanaged code was hotly debated, but the debate seemed to me to be entirely one-sided. It seemed clear unmanaged code is another classic Microsoft mistake - trading sugary convenience today for billions in headaches for their customers tomorrow. I went looking for someone to convince me otherwise and didn't succeed. Maybe now?

    There is great value in a "managed" system like the Java VM. It gives us an extraordinary amount of safety that we are frankly unaccustomed to. People are still gradually learning how to think about it, but you see more and more security-critical projects going "Java only" as they figure it out.

    There is also obviously no way we can do everything that way. For hot code, we work at lower levels, put in more work, and (for now) accept the additional risks. Note that the constant stream of ugly worldwide security problems is gradually but now noticeably decreasing our apetite for doing everything that way.

    As far as I can tell, by allowing unmanaged code in the runtime, .NET gives you only the worst of both worlds.

    You get all the overhead of the VM, but you don't really get safety.

    I know perfectly well you can tell the .NET runtime not to allow unmanaged code. That doesn't matter, because the choice is there, "unmanaged" is still a huge problem.

    Either it is avoided by everyone (everyone recognizes that it's a mistake), or we all begin to use it (it's in XYZ library), and then we all end up allowing unmanaged code, and we are no longer safe.

    --
    Tired of Political Trolls? Opt Out!
  7. Hmm.. by vurg · · Score: 5, Funny

    So when will this become a serial exchange of yo momma jokes?

  8. Inaccurate Inaccurate comparison by steve_l · · Score: 5, Informative

    JNI is the second edition at a Java to C++ API. It is the underpinnings of every binding from Java to platform there is, not an afterthought for applets (though Netscape were involved). If you don't use it much in your code, it's because other people (i.e Sun) do it for you. They also go out their way to make it hard to do so, whereas MS, with P/Invoke and COM support, make it really easy to invoke native code *from trusted apps*.

    Most .NET code that I know doesn't use unsafe either: MS go out their way to discourage you. You have to compile as unsafe, grab pointers only briefly, and then only ever get to run if your code came from a trusted place. All remote code is blocked, even that on a network share.

    Where MS do care is about COM integration, about platform integration. True, there is only one platform they care about, Windows.

    But consider this: Integration between Java and Linux, especially the GUI, sucks. Want decent Java/Gnome bindings? You need the third party Java-Gnome libs, which use, wait for it, JNI. Want Java KDE bindings, go to KDEJava and get the java libraries plus native code. If you want to integrate with the OS, you need native code, which means JNI.

    The fact that JNI is pretty rare can be seen by the fact that Gnome, KDE and drag-drop integration with the rest of the Linux GUI is pretty much nonexistent.

    I think the FUD Sun are saying about "unsafe" is so bogus. If they want to slag it off, just pick on the .NET APIs, too much of which are thin wrappers around Win32. OR the fact that the .NET runtime needs IE6 installed, and IE6 is the web browser component for .NET apps. OR the fact that ASP.net is built on IIS. Those are security holes. Windows is a security hole. ActiveX is a gaping security hole. IIS is server side disaster. .NET is actually pretty secure, but its just damage limitation on an otherwise dangerous piece of junk. Its like having ABS brakes on a Ford Explorer; not enough on its own to stop you crashing and burning horribly.

  9. Neither is really a security hole.... by Jaime2 · · Score: 5, Interesting

    Let's take a look at how each technology can become a security hole: By remote execution of content presumed to be in a "sandbox".

    .NET: Since unmanaged code is turned off by default for remotely loaded code, it will not be run by an unexpected trip to a web page.
    Java: Since JNI won't work by default under the same circumstances, the newest virus won't be injected into your system by an evil web page.

    Anything else is simply an architectural choice. MS likes to preserve compatibility while allowing you to move forward as quickly as posible. Sun wants you to rewite stuff in Java (for the most part), so the new stuff is more secure, but there will be more old stuff floating around that is still unsecure because we won't yet have found time to port it.

    BTW, Code Access Security in .NET is sophisticated enough to allow some apps to use unmange code, but not others, or some users, or software from a certain publisher, and a bunch of other options as well. You don't have to simply "turn on unmanaged code". They even have a simply way to allow software publishers to communicate these settings to customers instead of letting Joe Blow admin decide to simply turn off security to make it work.

    In summary, both technologies allow you to blow your own foot off if you aim the gun properly and squeeze the trigger. So what -- we were allowed to do that before these technologies came along and preventing you from being able to blow your own foot off will only slow adoption and cause more feet to be blown off.