Java or C: Is One More Secure?

bluefoxlucid writes "Security has been a hot topic lately, and we've seen everything from changes to how memory is managed to compiler hardening to "secure" programming languages. Java is considered more secure than C in general; but this guy seems to disagree, and thinks hardening the system itself is the way to go. Are we really approaching the problem the wrong way, or is he just insane?"

C stack protection might help

[Moxon]

Apparently there will be a port of IBMs stack protector in GCC 4.1. Might be interesting to see how that changes matters.

Hunh? Does Java even have gets()?

[redelm]

Almost all the exploits in `c` center around the implicit assumption that misbehaviour is tolerated when unexpected input is received. Yes, the stack can be somewhat protected against overflows, but this is a bolt-on.

AFAIK, Java is considered a "strongly typed" language, so even if there is a gets(), it has an implied length.

Not applicable

[RingDev]

By design C allows you to access memory at your own descretion. I beleive Java does also (It's been a while), which means neither is a 'secure' programing language. This would be like asking if Fords or Chevys are safer because one uses tig welding and the other uses mig welding. It completely matters on how the code is used. You can write your own memory editor in C (and I beleive Java). Which would make them fundamentally unsecure. C has the advantage that you have to write your own code, so you can make sure it is bug and security flaw free (cha right, and monkeys might fly from my ass!) where as Java comes with libraries. No need to recreate the string. Which saves you tons of dev time, but now you depend on someone else's code review. With that in mind, I'd say Java has a slight edge, just because more people are testing the Java libraries then your custom made objects.

-Rick

Re:Not applicable

[MaggieL]

By design C allows you to access memory at your own descretion. I beleive Java does also (It's been a while)

Sounds like it's not so much a matter of how *long* it's been since you had the one course in Java you were required to take to graduate, but rather how much attention you paid while you were there.

Re:Not applicable

[RingDev]

It's been years, and I can't remember what specific limitations there are. Yes there is the sand box, which would apply at least a basic level of security. But so long as there has been a sand box there have been ways out of it. So even if you can do pointer math in Java you are theoretically limited to the sand box. But realisticly, either language can be used for malicious reasons. -Rick

Re:Not applicable

[lexarius]

Except that you can't do pointer math in Java. Java references are opaque and cannot be manipulated.

Re:Not applicable

[MaggieL]

It's been years, and I can't remember what specific limitations there are.

Then maybe you should consider posting only about things you actually do remeber. The set of languages that can be used for malicious resaons includes English.

Re:Not applicable

[RingDev]

Which is why I specificly noted that I could not garuntee the accuracy of that statement. The issue is that the problem was being approached from a black or white stance. Much like the retarded Linux vs Windows arguements that are had here. What is likely to follow is a bunch of java fanatics and C old schoolers tossing insults back and forth over who's language is better. The point is that either can be better, and either can be worse, it entirely depends on context, design, and the skill of the coder.

-Rick

Re:Not applicable

[MaggieL]

Ignorance-based relativism doesn't really further the discussion. It's really hard for you to say anything of merit about something you don't understand.

In point of fact Java architecture contributes significantly to making it easier to write secure applications (as it also improves reliability); hand-waving that "bad stuff can happen in either language" is semantically null.

You *can* crash *any* car, but, by design, some are clearly safer than others.

Re:Not applicable

[RingDev]

"In point of fact Java architecture contributes significantly to making it easier to write secure applications (as it also improves reliability);"

I agree completely. I'm a .Net developer, I much prefer using precompiled libraries and an emulator like environment to run my applications. My point being that C/C++ can be just as secure as a Java app if it is coded correctly. The question should not be which is MORE secure, but which is EASIER to secure.

A Java app will come with all of the inherant security of the Java VM. But a flaw in the VM effects all Java applications. And as such an application developer is at the mercy of the VM developers. Where as if a home built C/C++ app has a vulnerbility found, the developer is free to fix it. Both have advantages and disadvantages in the security world, and I stand by my assessment that the debate is highly contextual.

-Rick

Re:Not applicable

[MaggieL]

Erm...the C++ programmer is only "free to fix it" if it's in his code, or code he controls. "Home-built" apps actually do call libraries and the OS too. Calling a virtual machine an "emulator-like environment" is kind of silly; modern JVMs perform dynamic optimizations that bear little resemblence to what an emulator typically does.

"A C++ app can be just as secure if coded correctly" says nothing; all cars are safe "if you drive correctly". What's "more secure" is probably more secure because it was *easier* to secure...unless extraordinary effort was applied to make it so.

And even that may not be enough, a point that is hopefully not lost on a Windows developer like yourself. Now that we know you're a .Net person the motivation for all this noise becomes a bit clearer, and my original point about "potentially malicious languages" still stands. :-)

Re:Not applicable

[Directrix1]

Or you can use an open source VM (such as in python) and still be able to fix it yourself.

Re:Not applicable

[RingDev]

"the C++ programmer is only "free to fix it" if it's in his code, or code he controls. "Home-built" apps actually do call libraries and the OS too."

Very true. No matter which language you write in, you will likely be at the trust of some other code provider.

"Calling a virtual machine an "emulator-like environment" is kind of silly; modern JVMs perform dynamic optimizations that bear little resemblence to what an emulator typically does."

The JVM and .Net Framework acheive the same thing, the convert a common language to native language and run it in a (somewhat) enclosed environment. Call it an emulator, a virtual machine, a sandbox, what ever.

"Now that we know you're a .Net person the motivation for all this noise becomes a bit clearer"

What is that suposed to mean? Yes, I code in .Net. Why? Because I love design and coding and there is a strong market for .Net developers. If the market was as strong for in house Java developers, I would have gone that route. I've worked in Pascal, ADA, Notes, Java, Access/Excel/VBA, Delphi, and tons of other crap that I needed to complete a job. The language is a tool, and given a choice between developing in C/C++ or Java, I would take Java with out hesitation. But if the situation demands a higher level of control, performance, and no cross platform execution, I would have no problem recommending C++. Use the correct tool for the job.

-Rick

Re:Not applicable

[RingDev]

Now that would be a much more interesting debate! Which is better, an open source VM(python/Mono) or closed source VM(Java/.Net) for security? -Rick

Re:Not applicable

[MaggieL]

The JVM and .Net Framework acheive the same thing, the convert a common language to native language and run it in a (somewhat) enclosed environment. Call it an emulator, a virtual machine, a sandbox, what ever.

That definition even includes compilers. "Emulation" specifically means to program one system to *imitate* the behavior of another, with the strong implication of a loss of efficiency. Not all interpretive execution environments are emulators, or even "emulator-like". And large chunks of modern JVMs are much closer to compilers than interpreters, and need not suffer by comparison with "native" solutions performance-wise (although what exactly is "native" about C on, say, x86, escapes me at the moment).

What makes Java superior in the realms of reliability and security is that it works at a higher level of abstraction than C. This makes it possible to exclude large chunks of the state space that aren't useful, and serve only as a source of defects and vulnerabilities.

We're all duly impressed with the "tons of crap" you've "needed to complete a job". My own experience set overlaps that considerably (with the addition of Fortran, BASIC, COBOL, PL/I and APL. I've managed to avoid Notes and Delphi, so far.)

None of that qualifies you to comment on Java, of course. Today, assuming that because something wasn't coded in Java means it performs better than a Java-based solution is silly. "Higher level of control" sounds nice but doesn't mean much, unless by "higher level" you mean directly accessing memory or attached devices...which most folks would call "lower".

And I very much doubt a situation ever *demands* no cross-platform execution. Unless you work for Microsoft... :-)

Re:Not applicable

[RingDev]

Ehh, we're arguing symantics over the definition of the JVM/.Net framework.

My Tons of crap list wasn't to impress, it was to show that I am not a 'Microsoft fanboi.' In that I will use which ever tool best fits the need of the situation in context. Whether its Java, .Net, C++, PHP, or what ever. This was intended to rebut your implication that I am some how inferior because at the moment the tool I am using is designed by Microsoft.

"Today, assuming that because something wasn't coded in Java means it performs better than a Java-based solution is silly."

Assuming the code was compiled natively I would expect it to outperfom Java. If the JVM's JIT compiler can compete with natively compiled code that's great. I haven't actively worked in Java sine 1.41 was new.

""Higher level of control" sounds nice but doesn't mean much, unless by "higher level" you mean directly accessing memory or attached devices...which most folks would call "lower"."

Again symantics. You have a higher level of control over a lower level functionality.

-Rick

Re:Not applicable

[Scott7477]

Please give an example of how this is relevant to the typical programming task that a programmer would see...

Thanks

Re:Not applicable

[karlm]

Which is better, an open source VM(python/Mono) or closed source VM(Java/.Net) for security?

There are several OSS Java VMs. (Kaffe, IKVM, Jikes RVM, etc.)

Python is one of my favorite languages, but from a security standpoint, dynamic typing introduces a whole class of errors and makes code audits more difficult. Sure, one could introduce manual type checks at the beginnings of methods and raise TypeErrors, as well as checking returned types. However, the more correctness (security is a subset of correctness) checks that are performed/inserted by the compiler, the fewer chances there are for undetected errors. Also, manual insertion of runtime time checks doesn't guarantee correctness, it only guarantees that type errors generate runtime failure and detection of incorrectness.

It would be neat if there were a type-inferencing lint for Python. Are any of you aware of such a beast?

(And yes, I'm aware of the Boo language, as well as proposals to add optional static typing to Python.)

Re:Not applicable

[lexarius]

C programs need pointer math. Among other things, it is how you access dynamically allocated memory chunks, which is done in most programs. It is also used heavily in operating system code. Pointer math is highly useful, but it can lead to all sorts of bad things if pointers point to the wrong places. You certainly don't want some Malicious Person to figure out how to reassign one of your pointers so that it points at some arbitrary place in memory, such as inside of the currently executing code.

Java programs do not have pointer math. You can't make this object reference point somewhere arbitrary. It can only point at objects of the correct type. Java programmers lose out on the ability to manipulate memory directly but gain improved safety and security.

I wouldn't want to write operating system code in a language that doesn't let me directly manipulate memory. I wouldn't want to write application code in a language that forces me to directly manipulate memory, and I certainly don't mind when the language takes that option away entirely to replace it with something safer. Then again, some high performance code (a game?) might need a high performance memory management algorithm, and that is typically a job for pointer math.

Re:Not applicable

[bluefoxlucid]

Compression code is also simpler with pointer math, since you can incriment through an array by incrementing it (int_array++); this oddly steps though by whatever the size of the base type is, instead of 1 byte. Various things are simpler with pointer math, oddly.

Of course, you always have the option of writing something in C that lets you call functions that set up your objects (structures, linked lists, etc) in memory and decide if it's time to free them. The argument here seems to typically be, "Oh, but then I have to write a function to do that;" though I fail to see how some function setting up your objects is different from some function allocating memory and setting up your objects in that.

Another thing I notice is I typically know when it's time to get rid of something. For example, you're done with everything associated with a document when you close a file; you tell each thing using it that it's time to go, then they or you remove the object from memory, eventually clearing the file out of memory. I can't think of too many scenarios where there's not a "done with this" case for a piece of memory. If you have a game and your bullet drops out of existence, you have to tell everything to stop screwing with it, then remove the bullet from memory; if you compress text, then your compression algorithm is done with the text once it's compressed (and your code should know if it was passed a copy it's supposed to free, or if it's assuming that the caller will free it; and you should know if you made a copy for the compressor, or if you just pointed it at the production text).

Even in concurrent programming, threads are usually not just generic gook; they tend to be doing something quite specific. When you have to get rid of something, this typically involves terminating all related threads, because they're not really doing anything else.

Being "forced" to directly manipulate memory isn't necessarily bad. Pretty much it's usually being "forced" to add a line or two of code and acknowledge that there's actually pipes under the hood as well as an engine; the heap manager actually handles the task of connecting those pipes right of course.

Poor article

[ChrisRijk]

The author points out there's some tools and run-time environment features you could use to help secure C/C++ binaries. Nothing new there. Then based on some FUD and hand-waving arguments he predicts that with all these extra bits that C can be made more secure than standard Java.

The thing is though, C is still insecure as standard, while Java is still secure by design (and has shown to be in practice). Not that there's an idiot proof general purpose programing language/environment out there - being "secure by design" doesn't make something 100% secure.

Re:Poor article

[tacocat]

Sounds like he would be better off trying to compare C vs Perl or the infamous flamebait article of Java vs Perl.

Perl, when used without the Taint option has the potential be be insecure. However, you can readily so secure programs without using Taint. Perhaps the best I can really state is Secure Enough

Perl, when used with the Tain option, is a complete pain in the butt to work with an very secure. It's very difficult to do anything particularly stupid unless you work at it. But properly treated, it goes a long ways past Secure Enough

It can be argued that any language certainly can be secure. Similarly anything language can be made insecure. It's not much about the language but the lackey at the keyboard. I've seen people do things to Java at work that actually looked like they had to work at making it that shitty. Even in C is would suck. Programmers make insecure applications, not the code. Kind of like People killing people and not the guns.

Re:Poor article

[Trepalium]

Java is still secure by design (and has shown to be in practice).

False. Java can protect you from a large class of possible exploit vectors (buffer overflow, off-by-one, etc), but programs written in Java are still vulnerable to other classes of exploits. SQL injection, cross-site scripting, information leakage, and certain types of privilege escalation are all still possible in Java programs. Despite some of the common refrains here, Java can not make a bad programmer into a good one, and a bad programmer can be just as dangerous in Java as they are in C/C++.

He is insane.

[dascandy]

TFA talks about C being just as secure with protection bits, claiming that use of stack-protection stuff is going to increase programmer and company awareness and willingness to fix bugs. They can fix the bugs, it's going to make it easier, but the inverse is what will happen. Instead of better software coming out, less time is spent on fixing that kind of bugs "since the protector will catch it anyway". Why bother fixing something that doesn't crash the program?

On the other hand, if you convert all these soft errors to hard errors (instead of a program doing something softly off-balance to a rigorous crash) they'll be fixed faster. Yet still, just teach the programmers to program.

Oh, and please do give all books about programming you have left to EA. They appear to be hiring kids between 12 and 16 since they're cheaper, judging by the quality of their software. I can't even run NFS3 in opengl mode since my video card isn't supported... no, the pre-pre-pre-pre-pre-predecessor was.

Seems reasonable

[Grab]

The major source of security bugs in C and C++ is lazy programmers.

Our company has an in-house rule - "if it returns an error status, you check it". Why? Because most really nasty bugs arise from failure to check this. If you're lucky, this will just result in unexpected crashes. If you're unlucky, you get buffer overruns and remote code execution.

Why do programmers not check this? I'm convinced it comes down to how you're taught. I went through a good dozen C and C++ tutorials when I was learning them. I've been through a few more since, teaching other people. And I've *never* seen a textbook that includes a check on the results of a malloc() call being NULL. Yes I know the argument is "it'll make the examples harder to read". That's a fair point, in a hello-world program. But by the time you get to using malloc(), you should know enough to handle a little complexity. The books just don't cover it though. Not only do they simplify the examples, but they don't mention that they're simplifying. As a result, it's an issue that too many coders don't realise exists.

If coders get some good mentors at work, to show them how this *should* be done, then fine. But I don't think that happens either - code review is not a way of life for most companies. So they just go their merry way until their code falls over in a heap, and then wonder what to do about it.

Python is generally quicker to write than Java, and Java is generally quicker to write than C++, and C++ is generally quicker to write than C, simply because each step along the line does most of that work for you. But that generally comes at the cost of increased overhead (code size, execution time or both). And even then it's worth knowing what's happening underneath, because if you don't then it *will* bite you sometime. Neither of these is more secure than the other though, assuming the coder knows what they're doing.

Grab.

Re:Seems reasonable

[node+3]

The major source of security bugs in C and C++ is lazy programmers.

Why is that whenever a technology is flawed or otherwise lacking, the blame is put on the end user?

It makes me think that in a debate over the merits of putting a safety on a gun, these same people would say it makes the gun unnecessarily complex, expensive, prone to failure and just plain gets in the way when you really, really need that extra bit of performance, and besides, anyone who accidentally shoots themselves (or someone else) with a gun is an idiot in the first place.

The fact is that there is a security issue which *can* be fixed by each individual programmer, which both reality and the normal distribution curve demonstrate won't be universal, or can be fixed by the compiler, which will work 100% of the time that option is used (assuming the compiler implements the feature properly).

So, given the security issue exists, which solution is more likely to take hold: better (and more time consuming) programming practices will spread 'cross the land, or a compiler feature will fix the problem across the board?

Sure, it would be nice if programmers (and everyone, really) did their jobs "better", but it's foolish to expect it. It's better to fix the system itself because not only will it eliminate the problem, it will save the programmer from an unnecessary tedium, giving them more time to devote to actual features and other improvements.

Re:Seems reasonable

[laptop006]

So you check the return value from printf?

From the man page:
These functions return the number of characters printed (not including the trailing `\0' used to end output to strings). snprintf and vsnprintf do not write more than size bytes (including the trailing '\0'), and return -1 if the output was truncated due to this limit. (Thus until glibc 2.0.6. Since glibc 2.1 these functions follow the C99 standard and return the number of characters (excluding the trailing '\0') which would have been written to the final string if enough space had been available.)

Re:Seems reasonable

[the+eric+conspiracy]

The major source of security bugs in C and C++ is lazy programmers.

Given the state of development processes and what customers are willing to pay for software I'd say the more likely source is programmer burnout adn crappy design practices.

Re:Seems reasonable

[moro_666]

i agree, each language is as secure as the developer coding style is. java is forcing on the check of error conditions with exceptions, you need the try{}catch(){} blocks, so does python. but C doesnt really care if you even check the return value of your malloc (this probably the most common bug around :D). C leaves a lot up to the programmer (Java arrays always know their length by themselves for example).

For an average young programmer, making mistakes in C is alot easier than to do mistakes in Java. But this still doesnt make java/python/ really secure, the virtual machine executing the code can still make mistakes.

If you want to have a secore application use common sense and good planning with enough foresight. I guess that more than 50% of all the bugs come from dirty add-ons and quick-hacks to make smth work. Stuff that is written in a rush and without long planning, often backfires, and sometimes in places where none notices it until it's too late.

The author of TFA howeves is totally incompetent on the security manager theme as it seems. Java can have very very very many restrictive security measures applied that makes it basically unable to do much from the byte code (deny filesystem access, network access, classloader access etc.), whereas unless you override the standard C calls with a preload, the C application is prone to all kinds of mistakes all over the place. If in doubt, check the java security api before "bashing" back on this one.

Btw. has slashdot really nothing better to do that to publish these bashing articles like this ? Java and C aren't really comparable in very very many ways. It's a lot better than comparing php and java ofcourse, but still, it's an unfair comparisment. C can do stuff that java can't do (interrupts to devices, all kind of low-level stuff), java can do stuff that C can't do (execute the same bytecode on different architectures and machines and operating systems). Nobody really wants to implement a big banking website in C and nobody wants to write a kernel in Java. The fact that poker and solitaire are both cardgames really gives us no opportunity to compare them just because they both use the same set of cards.

Re:Seems reasonable

[torpor]

Why is that whenever a technology is flawed or otherwise lacking, the blame is put on the end user?


because technology itself is useless. it requires a user to get any use out of technology.

whether that user is another programmer (in the case where a programming language is the product), or if it is a normal joe-blow dude who doesn't really know what he's doing: until someone does something with a computer, its useless. the only significance feasible is that attributed to it through actual use ..

Re:Seems reasonable

I do.
The printf class of functions (printf, fprintf and friends) can fail.
They can fail even if just writing to stdout.
When I must care about the output being successfully written, I check fprintf return value for 0 to detect errors.

Re:Seems reasonable

that's < 0 (damn html, and me for not previewing).

Re:Seems reasonable

Why do programmers not check this?

There is a long running joke (and almost a hard fact in reality) at the school I went to for college. It says that all the real programmers become Electrical Engineers and do hardware, not software. This showed up the most in the CIS lab course I took where we did group work. Programming in C++ a member of my group, much to the chagrin of the two hardware people in the group, used a GOTO statement. I kid you not, they used a jump type command when programming in a Object Oriented language. Another example was my friend who was also doing hardware. He had a group with all CIS majors, and actually was continually having to rewrite their work and correct their errors in their code.

You see the theory, and apparently the fact, (at least at my school) behind the hardware people being better then the CIS students came from the fact that many people were flocking to CIS become they saw $$$$. While all the good programmers were people who did it throughout high school (and earlier), they saw programming as a hobby and would not want to make a living out of something they did for fun. I think the problem is most people who turned to programming in college are not programmers first, but last.

Perhaps I am off base, but I believe there is just a lack of hardcore programmers actually coding for a living.

Re:Seems reasonable

[maraist]

Difference is in handling 3'rd party libraries.. You have have the most talented C programmers in the world, but if you use a 3'rd party driver that didn't properly check fro null malloc, you're FUBAR.. Especially if you thought you could trust this 3'rd party.

Presumably this is less of an issue for C++ since you have exception handling. But if you were writing a web server in C or C++ how could you garuntee that the entire web server wouldn't crash when a developer imported code which caused a CORE dump.

In Java or even perl, you just wrap the outermost invocation w/ try { ... } catch (Throwable t) { LOG.error("bad worker", e); }.

This is an incredibly powerful statement. I'm saying I don't care what you did, I'm starting from fresh on the next web page load. It's almost declaritive. To a small degree you can do this in C++ (except for derefing null pointers).

If you were designing an OS, would you seriously blame the stability of your system on bad 3'rd party programmers? Oh wait, MS does this!!!!!

No, you make it so that it's impossible for the programmer to make your system look bad. In UNIX a bad program can at worst slow the machine down, but even then, a sys-admin can limit it's damage in the future (ulimit, etc). The "UNIX" API was designed by incredibly intelligent programmers, as you advocate all applications should be written by. But most applications are collections of unwieldy libraries, since we want to facilitate modular code reuse (don't reinvent the wheel every time, or we'll never get past the 70's software wise). Ideally each application module would live in a separate execution environment where they can't cause damage, but this isn't practical (yet). The best we have today is RPC/CORBA/COM, SOAP, HTTP. At least in these environments you can make a network call, and handle the error message anyway you like. Thus you have the ability to be crash-resistent.

Of course making an RPC call in C for every string-filtering function-call is insane, so we'd prefer to have some language level assurance.

Re:Seems reasonable

[Grab]

if it returns an error status, you check it

So if printf truncating could lead to an error, I check it.

Our "bug-of-the-day" intranet page contains a permanent link to "the bug from hell", where one of our most senior engineers ignored a return value (and the coding standard which mandated the check), and left himself open to a very nasty intermittent and hardware-specific bug, which took something like 4 man-weeks to find. As an object lesson in *why* you want coding standards, it serves its purpose...

Grab.

Re:Seems reasonable

Actually a lot is written in java using J2EE particularly. Ebay for example uses java extensivly. Load it up and look in the upper right corner of the screen and theres a Java and Sun logos there. You can use java for large scale enterprises, just a matter of how you optimise the code.

Java has a lot more protections just in its most basic form, to get the same level with C you have to do a lot more work. Biggest problem is companies want results NOW, so usually people do it quick and dirty instead of doing it right.

Re:Seems reasonable

[Grab]

I suggest you bring that analogy up with US gun owners who are currently being asked to fit handprint recognition to guns. Ask them how practical that is, for how much extra safety.

I really don't mind people using code that has built-in error-trapping. If you're using OO code anyway, then by all means use CString and don't worry about how much array is needed underneath the OO abstraction - after all, that's why you use OO. But you're trading that off against the performance hit. And at some point you're going to run out of memory anyway (or file handles or whatever), and if you didn't know that could happen then your code is screwed.

To return to your gun analogy, you can pull the trigger as much as you want when the safety's on, but sooner or later the safety comes off. At that point you're back to square one - except that now you're not equipped to deal with the consequences. The better solution is not to get into that position in the first place. In the gun analogy, you *never* point one at a person unless you intend to kill them, even if you know it's unloaded. If you do, you're exposing yourself as being inexperienced and dangerous to be around. Similarly in the code space, you can use OO abstraction and assume that everyone else takes care of their own memory, but you *must* know what can go wrong under the OO abstraction and be ready for it. If you don't, again you're exposing yourself as someone who's inexperienced and will almost certainly write bug-ridden code. Whilst I don't mind having inexperienced people on my team (my team was a bit of a training ground over the last 2-3 years, so I'm used to training people up), I'm not going to let them loose on the code without supervision and close reviewing until I can be sure they're not going to shoot it dead. ;-)

Grab.

Re:Seems reasonable

[Curien]

Ebay uses ISAPI applications, which is probably written in C or maybe C++, but definitely not Java.

Re:Seems reasonable

[Curien]

I mostly agree with you, but I also think you're forgetting that a lot of nasty bugs originate from the horrid situation that exists wrt checking for error status in C programs. There's little standardization across libraries as to what constitutes an error indicator. Further, many functions use errno to report errors, and to preserve that mechanism requires throwing re-entrancy out the window.

The worst thing, I think, is that C doesn't provide a good place to implement "clean up" code, like C++ does (in destructors). Often, logic flow is complex enough to require a resource to be released in multiple branches, and it's very hard to verify that it gets released exactly the number of times it should (no more and no less). C++ provides much better mechanisms, but it doesn't make you follow them. Any class that directly allocates more than one object dynamically probably has a memory leak, and how many people follow that guideline? How many people really code for strong exception safety? How many even know what that *means*?

I don't think the problem is that programmers are too lazy but that security really isn't that important. I think the problem is that vulnerabilities don't affect the people who release the code. Make commercial entities that release buggy code financially liable for their products' failures, and we'll see the quality increase astronomically.

Re:Seems reasonable

[bluefoxlucid]

Java can have very very very many restrictive security measures applied that makes it basically unable to do much from the byte code (deny filesystem access, network access, classloader access etc.), whereas unless you override the standard C calls with a preload, the C application is prone to all kinds of mistakes all over the place.

Using the built-in security API in Java is probably a lot easier than writing an SELinux policy; although potentially a distribution maintainer or software maintainer could package a policy, not that that means you should absolutely trust it. If you could break away from the security restrictions in Java and get file system access etc, however, this would be called "privilege elevation."

Java Script (in no way related to Java; it's a rename of Netscape LiveScript) is also inherantly inable to write to the file system etc; but Microsoft has a special context that lets Java Script do that if it's started there, called the "Local Machine Domain." Occasionally a java script manages to trick Internet Explorer into moving it in the LMD, and then can write to your hard drive. We could say the same thing about Java, if sun manages to bork up that bad one day; they've already had one exploit, but that's still a pretty good track record.

Overriding C calls with a preload still lets C applications check out the symbol table and replace the preloaded functions with their own, etc. You'd have to use something like SELinux or GrSecurity's ACL, or RSBAC if you can figure out how it works, to do that level of access control. Back to square 1, a really terrible bug in these would be really bad and you'd get around it; however, you'd need a really specific kernel bug to do it, and would probably wind up with SELinux not understanding a random address containing a "policy" (garbage data) and either kernel crash or just get denied everything.

Re:Seems reasonable

[blkmajik]

Bull.

What you are saying is the same thing that happened to the web. IE "fixes" a lot of errors in HTML and the programmers thought that because the renedered page was "correct" their code was good. Like it or not Netscape 4.x did one thing well, it told you if your table structures were correct because it didn't try to work around the bad code.

You suggestion of having the compiler fix the problem instead of the programmer becomming better is going down the same road. If I'm writing ANSI C code and want to port my program to multiple platforms all of the compilers on all platforms would have to support this "idiot programmer" feature.

I don't believe rewarding bad programming skills will benefit us long term. It is a people problem not a technological one. Don't throw technology at it, because in the long run it will make the people problem worse.

Re:Seems reasonable

Why is that whenever a technology is flawed or otherwise lacking, the blame is put on the end user?

If a technology can be used properly but it isn't then whose fault is it?

Security in languages like C is a known quantity: know your interfaces, know your data, know your synchronization, and verify. It requires work and discipline and those who choose not to do this are indeed lazy.

You also assume that eliminating these problems at the coding level will eliminate them entirely. Security is a process. Programmers who can't muster the ability to pay attention while coding have little chance of doing it at the design level where these kind of holes can also be introduced.

Re:Seems reasonable

[alan_dershowitz]

those who choose not to do this are indeed lazy.

I've met a lot less lazy programmers than I have time-strapped programmers. Every hour not spent managing mallocs and making sure you're not returning stack variables, or verifying that string tests are bounded or x y z you have to do to make sure you C program is safe, that's time you could spend being productive.

Making code safe is not "being productive". You are not meeting customer requirements by making your software secure--security is assumed. If you can use a language where you are not spending 20-40% of your time making it safe, you just got 20-40% more time to implement the stuff the software is actually supposed to do.

I have never in my life seen a customer requirement: "make sure all char array operations are bounded." My job as a programmer is to satisfy customer requirements, not bang rocks together to make sparks.

Re:Seems reasonable

[cpeterso]

On Linux, checking whether malloc() returned NULL is a waste of time. Because Linux overcommits memory and tries to allocate the backing pages lazily, malloc() might return a pointer to memory that is not backed by real pages. When your code eventually uses that memory, Linux now can't find enough pages, so your app crashes. malloc() returned a non-NULL pointer, but you were OOM anyways.

Re:Seems reasonable

[bluGill]

More than once I've seen someone take a gun, unload it, turn the safety on, then pull the trigger - the gun fired! In the first case the idiot didn't know how to use that gun, so he unloaded the chamber then loaded it from the magazine when he closed the chamber, then he misunderstood the safety and turned if off instead of on. The second case the guy was pretty sure something was wrong before he did this test. In both cases the safety mechanism was worthless, but fortunately both people were using good handling so there was no possibility of injury (despite not knowing how the one gun worked).

VMs are nice, but they can fail. Good programing practice will protect you from a failing VM.

Re:Seems reasonable

[bluefoxlucid]

You suggestion of having the compiler fix the problem instead of the programmer becomming better is going down the same road.

The article points out changes to the compiler and operating system that cause bugs in programs to force a crash, which is like Netscape refusing to render a page at all rather than rendering it incorrectly. Of course, Firefox behaves this way with XML; it gives you a line number and a statement and says, "I don't get this. You broke something. Fix it now." Then you go, "OH! Ok, I see what I did," because it tells you right where to look.

|| The increased restrictions tend to expose bugs rather spectacularly; once in a while a program will go from "acting weird sometimes" to simply hard-crashing when introduced into a secure environment. Not only does this force programmers to fix these bugs; but with the stack and heap protections, it even helps them along the way. -- From the article

. . . I kinda like it. It's better than things just wobbling around and then falling over at random, or half-working and corrupting your data.

Re:Seems reasonable

[heinousjay]

Have a looksee

Re:Seems reasonable

[p2sam]

Do you check printf calls as well?

No? You're fired.

Yes? You're a freak.

Good day.

Re:Seems reasonable

[Grab]

See http://slashdot.org/comments.pl?sid=164835&cid=137 57515

Re:Seems reasonable

So if printf truncating could lead to an error, I check it.

And do what? Use printf() again to print an error message? ;-)

Knowing there's an error is only useful if you have a way to handle it. If something that isn't supposed to happen does, what's the right thing to do?

It's a nice philosophical question, isn't it? Hint: Anything follows logically from a contradiction, so there *are* no right or wrong answers! :-)

It's the sort of thing that should be in specification documents, but typically isn't, because management doesn't like to think about fine details, and programmers don't know what management wants to assume happened.

What usually ends up happening is that the programmer guesses at what's appropriate, or just ignores the condition, since he's been assured it "won't happen". When it does happen, no one will remember that the programmer was lied to, they'll just remember that the application crashed. Management typically won't care to understand why the error happened; they'll just want it "fixed".

In short, error handling in and of itself isn't the crucial thing for a computer system; ensuring that there are no errors in the first place is much more important, and often more neglected. For example, there's no point in testing for a network outage error if your error handling is to send out a warning message by email. If you can't write to standard error, writing a message to standard error to complain about the first error isn't going to help.

You can't check for literally everything. At some point, your have to assume something works; your error handling code can't just keep calling itself in a loop, and you obviously can't write an error handler for each line of error handling code you write.

The best you can do is make reasonable assumptions, and handle the errors that you expect can reasonably occur. If something unexpected happens, well, tough. Try to fix the fallout and manage the mess, and always keep your resume up to date. As a programmer, you *will* get blamed for things that weren't really your fault; missing or flawed specifications, cost-cutting measures, disasterous "shortcuts", or anything that management doesn't want to take the heat for. Expect to be blamed for "deciding" to do things you were outright ordered to do, and don't expect logic or facts to get in the way of passionate argument. Always be ready to move on, and always do the best job you can, despite management.
--
AC

Re:Seems reasonable

[dodobh]

The problem that remains is that the bugs go up the stack. Now instead of a buffer overflow,your application is vulnerable to SQL injection, and XSS and your data is toast anyway.

Stupid troll.

[reynaert]

Yes, fancy tricks as PaX and ProPolice can turn remote root attacks into 'only' a denial of service (your daemon gets killed). That's definitely an improvement.

I'm no fan of Java, but at least it gives your program a chance to recover (exceptions and stuff).

Re:Stupid troll.

[thegrassyknowl]

I'm no fan of Java, but at least it gives your program a chance to recover (exceptions and stuff).

And C++ doesn't have exceptions and stuff? Java is just as insecure as C/C++. It's just insecure in different ways.

As others have said, most bugs and security flaws come from lazy programmers not doing the right thing.

I'd also like to see you run Java in a lightweight embedded DSP situation!

Re:Stupid troll.

[reynaert]

And C++ doesn't have exceptions and stuff? Java is just as insecure as C/C++. It's just insecure in different ways.

I'd like to see one of those kernel-based systems make a C++ program throw an exception. Well, I guess signalling SIGSEGV kind of counts.

As others have said, most bugs and security flaws come from lazy programmers not doing the right thing.

You say that as if doing proper manual memory management is easy. It's not: that has been sufficiently demonstrated over the past few decades. Since automatic memory management is possible and cheap, it stupid not to use it.

I'd also like to see you run Java in a lightweight embedded DSP situation!

While current Java environments don't optimise for speed (instead relying on fancy JVM's), there's no reason why you couldn't compile Java to efficient machine code.

Re:Stupid troll.

[bluefoxlucid]

I'd like to see one of those kernel-based systems make a C++ program throw an exception. Well, I guess signalling SIGSEGV kind of counts.

Segmentation fault isn't an exception. But to the heart of the issue, you wouldn't be able to recover. Your stack or heap would contain corrupted memory. In other words, it's like you have a map, and I set fire to it, burn up half of it and you put it out. Now at this point you either try to follow the half-burned map; or go home, get another one, start over. If you follow the half burned map you're going to be in a situation where you don't know where the hell you're going and, ignoring the fact that you have eyes and can plainly see cliffs and land mines, will probably do a strikingly good immitation of a lemming.

You say that as if doing proper manual memory management is easy. It's not: that has been sufficiently demonstrated over the past few decades.

No kidding. I wrote myself a reference counting library in C so I could do proper memory management without thinking.

Re:Stupid troll.

[Scott7477]

Agreed, agreed, agreed! Memory management is at the core of every useful program that ever has been or will be written. It absolutely should be automated and invisible to the programmer. Doing your own memory management while writing a program is like buying iron ore and coal and turning it into steel so you can build your own wheels for your car. It's a waste of effort.

Knowledge

[GerritHoll]

Isn't the best way to go to program in a language one is experienced in?

Re:Knowledge

I hear this argument a great deal when it comes to language discussions. A more common form of it is "Languages don't have bugs, programmers write bugs." This point does have some validity However, every programmer I have met is human, and makes mistakes. Even seasoned veterans make mistakes, particularly when overworked, tired, or just under the gun and forced to take shortcuts here and there "that will get fixed later." If you play with hot soldering irons all day, eventually you will get burned.

Imagine this argument being applied to the construction industry. "Who needs saws with safety switches on them?! Saws don't hurt people, people operating saws hurt themselves (or others)." And yeah if everyone followed safety procedures perfectly and never made mistakes no one would ever get hurt. But they do. Hence, I will always prefer the safer tool to the more dangerous one.

I far prefer C++ to Java, and I have programmed in both professionally. However, I really loved just never having to worry about pointers and their associated hacks in Java (by hacks I mean things like using pointer arithmetic tricks for efficiency). Sure things like Boost's smart pointers make this far far easier in C++ than the old fashioned way, but proper use of new and delete still lurk in my mind whenever I am programming.

Here's a hint..

[Improv]

People who can't spell words in the English language like "aggravate" might not be the best people to look for deep and insightful attacks on what everybody else agrees on. I'm not saying that having good spelling would make his point any more valid, but it should at least be a rule of thumb for those who can't bother to think about his point on their own (as the poster of this article can't).

To get more into it, yes, the C runtime is smaller than the Java runtime, and there is a certain trustworthiness in having your code small. However, languages like C where the basic type system requires a lot of care to avoid bugs starts you off considerably behind just having a large runtime. In C, it requires almost no thought at all to write insecure code, and to do some things securely requires chunks of wrapper code around most things involving IO layers, wrapper code that is not program logic and can have bugs. In higher-level languages, the user won't be writing that code -- the engineers at Sun will, and because that code gets exercised by the entire world, its bugs will be found and removed very quickly.

Of course, in both cases, we're not really talking about the language being secure, we're talking about how likely it is that, given equivalent tasks, people using the different languages will end up writing secure code. To weigh that, we all use rules of thumb based on what we know causes errors -- he invokes bulk of code, but doesn't think about how the used code in that bulk will need to be written anyway and will be reused by every Java programmer. As I said before, I think a caveat-emptor type system is another major factor to be considered. Other (generally obvious) rules of thumb that go against this guy are left as an exercise for the reader.

Re:Here's a hint..

[anthony_dipierro]

In C, it requires almost no thought at all to write insecure code, and to do some things securely requires chunks of wrapper code around most things involving IO layers, wrapper code that is not program logic and can have bugs. In higher-level languages, the user won't be writing that code -- the engineers at Sun will, and because that code gets exercised by the entire world, its bugs will be found and removed very quickly.

The source code to the Sun VM is closed source, isn't it? That right there tends to make it less secure. Yes, there are open source VMs out there, but they suffer from other problems including less widespread testing.

I don't know about you, but I'd trust gcc before I'd trust Sun's Java VM.

Re:Here's a hint..

[ChrisRijk]

The source code to Sun's JVM is available - it comes with the JDK as standard in fact. There are some license restrictions that mean it isn't Open Source (tm) compatible though. The main restrictions AFAIK are the compatability requirements - essentially, "thou shalt not embrace and extend" (with products anyway - you can mess around if you want with it internally).

Re:Here's a hint..

[anthony_dipierro]

Well, that answers that. I guess the two are fairly close to identical in terms of security.

Re:Here's a hint..

[cow-orker]

In C, it requires almost no thought at all to write insecure code

Well, this is true of any language. Just think of Perl: buffer overflows are impossible, since strings and arrays grow when needed. People still manage to write swaths of code with shell or SQL injection vulnerabilities, despite taint checking. Piling language features onto each other to make a factory for secure programs will always be an uphill battle. What is really needed are competent programmers (which are in pitifully short supply).

Therefore the real question is not whether a language is more secure or if this or that runtime is more likely to contain bugs itself. The only question is: "How much does this language help writing secure code?" but also: "How much does this language help writing correct code in a reasonable amount of time?"

Whenever it is clear how to write code the right way, but it takes herculean effort compared to the Q&D solution (for example: prevent code injection bugs by parsing, interpreting an AST and pretty printing instead of some regexes), it will not be done. Java is unfortunately not of much more help here than C, unless you happen to find a suitable library.

Functional languages are better, but as always, they are not even considered in passing. That was actually my gut reaction to the tag line of the article: "What moron stated the choice was between C and Java only?!"

Re:Here's a hint..

[Improv]

A few specific comments --

Although it's an uphill battle to make the language help programmers avoid insecure code, it's an uphill battle worth facing. Progress in doing so is important progress to make, even if it is very hard. Even very competent programmers sometimes make mistakes, and I'd wager they happen more often in languages that don't help them. Having good tools is always a good thing -- I, for example, find programming without vim and all my customizations to it to be extremely irritating.

As for regexes, it's possible for them to work well -- implementing a parser is often a bad idea. Regexes are easy to misunderstand, but when done right, they're really nice.

Personally, I see functional languages as toys, but if you see them as more, use 'em.

Re:Here's a hint..

[cow-orker]

You didn't get it, did you? It's not about regexes being *bad*, it's about regexes being *wrong* and by extension insecure, but the *right* solution, context free expressions or something exquivalent, is prohibitively expensive due to the B&D language chosen.

To make code secure, a language that makes Doing The Right Thing easy is needed, not a language that makes doing some specific wrong things hard or impossible. And that is wrong with Java, it doesn't make anything easy, it only eliminates wild pointers from C++. No better abstractions, no improved syntax. No sharp edges to cut yourself (or anything) with, either.

BTW, I don't care much that my pet language wasn't considered. But I *do* find it disturbing that only two (very similar) languages are looked at when there are dozens to choose from. That tells a lot about the sad state of the software industry.

Re:Here's a hint..

[Improv]

Regexes are *wrong*? What does that mean? How are they wrong? I can understand that you might not like them, but can you make the case for anything more?

Further, I would say that Java indeed makes a lot of things easy that are harder in C. It provides much more capable classes with a number of very useful operations on them. Also, strings don't suck, and collections are safer than arrays. Java makes memory management much simpler. If you look at Java and don't see any of these things, I think you've somehow missed out on a lot of things that C programmers (like me) can get from Java.

I understand your disappointment that only Java and C were considered. Frankly, although I love C and grew up on it, I don't think it should be considered for most things where it is used today -- it is a traditional choice, but given where Java has moved the industry, its conservativism has led to senility. Java draws on a lot of its good choices (and syntax), and that's why it's seen in many circles as the successor to C (and to a degree, C++, which IMO was largely a collection of mistakes). No other programming language is very close to how good Java is for general systems programming, at least partly because of the maturity of many of the ideas that have led to Java. Unfortunately, Sun screwed up in instability of the language spec a few times, which has hurt Java a lot, but it's still considered the best tool for most jobs. Things have been this way for a long time though -- for general purpose programming there has usually been one dominant language, a few other languages that are kind of near, the up-and coming, the obsolescent, and a number of toy and domain-specific languages. Before Java, C was dominant, and before C, Fortran. I think we've made progress with each transition. I might have hoped that things had gone another way (e.g. ObjC instead of Java), but things are looking pretty good now. Maybe Ruby will take the crown next.

Re:Hunh? Does Java even have gets()?

[galore]

This is a run-time check, not something that is checked statically by the type system. Though helpful, this behavior does not rely on Java being strongly typed.

Reverse Engineering

[extremescholar]

What about the fact that a java file can be de-compiled? There is software available that will let you decolpile/reverse engineer a java file back to the cource code! It's the ultimeate in open source, because it carries the source with it!

See the google...
http://www.google.com/search?hl=en&q=decompile+jav a

No, I think he's right

[Dan+Ost]

The reason he claims that the bugs are more likely to get
fixed is because in the hardened environment, these bugs
result in crashes rather than transient misbehavior. These
types of bugs will be much easier to detect and fix since
they will no longer be hard to reproduce.

Sounds reasonable to me. In my experience, no bug is hard
to find and fix if it is easy to reproduce.

Garbage Collection Misunderstood

[MobyDisk]

This more pertains to yesterday's article on performance, but it relates to Java in general.

I see lots of articles saying how garbage collection prevents memory leaks and provides security improvements. That is a slight misunderstanding: The automatic memory management is what makes it secure, not the garbage collection. The garbage collector is merely HOW the memory is freed. If Java eliminated the garbage collector and freed the memory immediately the language would be equally secure. What matters is that you don't have access to pointers.

For example, take Visual Basic 6: This language does not have garbage collection, but it is about as safe as Java. It frees memory/objects that aren't used, uses bounds checking, doesn't allow bad casts, and doesn't use pointers. The only time VB6 is a problem is when you call an outside library (which is the same problem you have in Java). So it isn't the garbage collector that matters.

Inherently, a language with access to pointers is always going to be less secure than a language that does not have them, and uses automatic memory management. None of the security enhancements to the compiler can change code that assigns a pointer to the wrong object and overwrites the memory for it. None of them can prevent a bad cast from screwing things up.

Re:Garbage Collection Misunderstood

[Peter+La+Casse]

Inherently, a language with access to pointers is always going to be less secure than a language that does not have them, and uses automatic memory management. None of the security enhancements to the compiler can change code that assigns a pointer to the wrong object and overwrites the memory for it. None of them can prevent a bad cast from screwing things up.

I see this error a lot, and it's slightly annoying. You're treating pointers as if they all behave like C-style pointers, which isn't correct.

Java does have pointers. It doesn't let you orphan memory in the same way that C does, and it restricts the operations that you can perform on pointers, and it doesn't even call them pointers, but they are, in fact, pointers (variables that store a memory location.)

Furthermore, it is possible for a language with pointers to prevent a bad cast from screwing things up: don't allow casting! Or limit it to non-bad cases (which is a pretty big limitation.)

valgrind rocks

[oo_waratah]

Stack protection really is the next big step and like ports from WIndows typically the difficulties is broken code that is just allowed. Stack protection is going to cost developers dearly and it is likely that it will be disabled if there is an option rather than paying the cost on the very software that needs it the most.

I have used valgrind on production code that has been working 8 years. I found multiple protections, uninitialised variables in this code. Anyone coding C and not using valgrind in the testing cycle is not using their head.

I switched to Perl because there were no memory allocation problems like this.

Re:valgrind rocks

I switched to Perl because there were no memory allocation problems like this.

The fact that you were using C to solve a problem that apparently could have been solved in Perl suggests a problem right there.

C has its uses when you have particular requirements.

Apples and ! Apples

[Twylite]

So now, which language is more secure? I still say C, for no other reason than because it's easier to make the system protect itself from broken C programs than broken JVMs or Java applets.

Lots of FUD and hand-waving here as the author compares the JVM to a C application, and implies that (1) the C runtime is bug-free and/or any C application can avoid C runtime bugs; and (2) all programmers can make their C programs more bug-free than a JVM.

A better comparison would be the C compiler, runtime and automated protection extensions versus the JVM, as those are the components of C and Java respectively that define the boundaries of what code written in the language can accomplish. Note in particular that a buggy C compiler can generate exploitable code, whereas a Java compiler cannot (because the JVM restricts what the code can do).

It must also be said that ultimately the JVM is a C program, so the system can protect itself just as much from a JVM as from any other C program.

Re:Apples and ! Apples

[bluefoxlucid]

Lots of FUD and hand-waving here as the author compares the JVM to a C application, and implies that (1) the C runtime is bug-free and/or any C application can avoid C runtime bugs; and (2) all programmers can make their C programs more bug-free than a JVM.

As opposed to Java fud and hand-waving, or .NET fud-- . . . ok so .NET doesn't really have an army of stormtroopers saying it's the next generation solution to everything, aside from microsoft mumbling something along those lines to itself once in a while.

It looks to me that the C runtime isn't necessarily bug free; but the author may have a point with it being much smaller than the Java platform. IIRC there was a book on programming bugs that claimed that professional programmers averaged 5-50 bugs per 1000 lines of code; compare the C runtime and libraries used in a C program to a platform supplying everything in the universe and running on top of the C runtime and a whole lot of other libraries and adding code to access those libraries indirectly, and you've just increased the potential number of bugs by. . . some value.

This doesn't mean you should immediately run from Java because it's buggy as hell and every program you ever wrote was a security hole or bug farm; but the chances of it are a bit higher. Remember, typically you can have 50 bugs lying around that in real life don't cause any problems unless you feed them some really, really obscure data.

Note in particular that a buggy C compiler can generate exploitable code, whereas a Java compiler cannot (because the JVM restricts what the code can do).

Wouldn't a buggy JVM that messes up on bounds checking still be able to generate buggy code? Or one that decrements a reference count in the garbage collectory too much, so it hits -1 and gets freed; then later bumps over that again and frees again. Double frees, buffer overflows.

A buggy C compiler can generate exploitable code too, or code that just plain can't run, like gcc-3.4 with -fssa. Or worse it can just spit out code that shreds your data and doesn't tell you, like with -O1 against some code in gcc 3.0 causing m=m+1 to incriment m by something other than 1 (which really borked out my debugging sessions a while back).

Re:Apples and ! Apples

[karlm]

Wouldn't a buggy JVM that messes up on bounds checking still be able to generate buggy code? Or one that decrements a reference count in the garbage collectory too much, so it hits -1 and gets freed; then later bumps over that again and frees again. Double frees, buffer overflows.

I think you misunderstand the grandparent. The grandparent's point is that the C "Error kernel" includes the compiler, while for the most part the Java class loader will catch Java compiler bugs.

The array bounds checking in most JVMs is implemented in probably only one place, whereas bounds checking must be done every time an array is accessed in C (counting a formal proof that an index is within bounds as an optimized bounds check). How many lines of code must be audited for a formal proof that none of your 4 million lines of Java code will smash the stack? Now, what about the same question for your 4 million lines of C code?

You have the same flawed logic in your example about double-frees. The point is that the number of lines of code that must be audited in order to avoid the most common and costly bugs is minimized. You only need to audit the garbage collector in order to ensure that Java programs don't have double-frees.

Also, it's my understanding that most JVMs don't use reference counting.

Re:Apples and ! Apples

[bluefoxlucid]

On the topic of smashing the stack in C, it is implemented in exactly one place that a stack smash in any C function results in the program outputting the name of the function whose stack frame holds the physical array, then terminating. This is close but not exactly bounds checking. It is also a specific compiler extension that's finally being merged with gcc.

The article was about C programs in such an environment, which also supplied a secure heap manager; data/code separation; and address space randomization. There have been a lot of replies that respond to Vanilla C vs Java, which is off topic for the article.

yes

[jilles]

You can't prevent bad/malicious programming of course but you can prevent the vast majority of bugs that are typically exploited by hackers, like buffer overflows or dangling pointers. Java is immune to both these issues. Therefore, Java is a much more secure environment to program in and therefore the use of C/C++ is nearly non existent in the web application domain.

Infrastructure is a different matter. That too will become the domain of java like languages in the future but for the moment we will need to continue to patch the endless stream of buffer overflow issues in such fine products as apache, iis, bind, openssh, etc. These packages have two things in common: 1) they are written in c/c++ and 2) despite years of security audits and bug fixing, new security issues directly related to C's inherent insecureness continue to be found in them on a regular basis.

True, Java depends on native stuff. In fact most known java exploits are indirectly exploits of bugs in this native stuff. The rest consists of genuine design flaws in the program at hand. However, exploiting bugs in native code from Java is actually quite hard since it involves making a lot of assumptions to the run-time memory usage and garbage collecting. Consequently, there have been relatively few incidents of Java bugs being actually exploited.

In short, if security is important to you, don't even think about using C. Even if you (the programmer) do your work properly, there is no guarantee the developer of the libraries you depend on did. There will no doubt be some in this thread to point out that if performance is important, you should choose C. IMHO these people overrate performance and underrate other important quality attributes like maintainability, security, flexibility, reusability. But who am I to judge these folks :-). Besides, fixing performance issues in Java is not that hard, if you know what you are doing. But then if you didn't, you shouldn't be trusted with C either.

Here's the problem

[kinglink]

This article deals with 3 compilers or systems for C++, NOT C++ in general. sorry, gcc is a C++ compiler, not c++ itself. If I use another compiler those issues will return. And many people do use other systems...

C++ CAN be made more secure of course but it's the programmer's job not the compiler's job to keep it secure. You want to compare security? You need to start with the core C++ stuff and the core java stuff, the stuff that is in every version of it. This of course gives Java the advantage because sun makes it very standard (and has to be) and c++ has many versions (we all know Microsoft's attempt to take C++ in their direction). Then You take GCC, and the Java Compiler head to head, if you have stuff before gcc 4.1 you're weaker on gcc, but it appears his point is that with 4.1 they have made gcc stronger. Then take notable IDEs for both and compare them (Visual Studio vs Eclipse would be the two I use) and see what they do extra, if your using visual studio, Java will likely run the ball on that play. But fact that c++ by itself is less secure than java. The extras that one compiler adds doesn't matter if not every system uses that compiler. Java at least keeps very strict guidelines on their compilers so it does make it a bit more standardized.

Now with a good programmer/compiler C++ is as secure if not more so than java, but the fact is the language has an inherent security issue. In that issue alone it means that a good programmer is going to take time to fix C++ issues rather than relying on inherent java stuff. That doesn't mean it's not good in other ways, but for security you need to rely on the programmer a bit more than java.

Of course this all being said a good programmer can make C++ more secure, and use some of these things that can create the security problems in other ways to write better, faster, or more interesting code. But as always it's a matter of choice the problem with the article is he's pointing out only 3 different versions of c++ that have had upgrades, but in corporate life many people have people use Microsoft Visual studio (hell we use 6, because .net isn't worth the pain, though we have the option. Though 6 or .net I don't believe use any "auto" update feature, just makes them very hard to keep "current") People will always use outdated compilers because they are faster to use that way, and as such we'll always have issues.

So in the long run, C++ can try to catch up but because of the unstandardized nature of C++, and the fact that Java has had the security from the begining we'll always have a difference.

Reply from a language-based security zealot...

[Tom7]

First, I am happy to see these stackguard-like systems be integrated into C compilers and runtimes. I think they can go a long way towards solving common security problems, and I am dumbfounded that distributions aren't clamoring to have these installed by default. The only explanation I can think of is this bizarre obsession with performance in the Linux world, as if a few percentage points of performance are worth living in constant fear of being hacked. However, it's not really fair to say that C "has" these security features, since hardly any of the C programs that are out there are running with them enabled. (On the other hand, basically every Java program runs with array bounds checks!) The day that my linux system comes pre-installed with OpenSSH running with heap and stack protection, I will happily change my tune. Unfortunately I think that day is sadly a lot further off then the author seems to suggest.

I expected to be really angered by this article, but I actually thought it was pretty reasonable. Basically his argument comes down to this: given two systems with indistinguishable security features, the one with the smaller trusted computing base is more trustworthy. I totally agree, and it's clear that the Java+javac+JVM+OS TCB is larger than C+GCC+CRT+Proguard+PaX+OS. What I don't agree with is that these languages provide equivalent security features. For one thing, unless I am mistaken, C running with these protections does not provide array bounds checking, unless the out-of-bounds writes happen to hit certain places identified as dangerous. Although this unarguably closes a lot of common attack vectors, it is not the same kind of automatic and absolute protection that a safe language whose semantics includes array bounds checking offers. Any time an attacker can compromise your data structures in an unexpected way, he is going to have more access than you intended. Language-based memory protection is a security feature that C does not offer, even extended with these systems.

The point I really want to make, though, is that the author presents a false dichotomy: Choose either the lean dangerous language C with some OS-style protections, or choose the bloated safe language Java with a lot of stuff you have to trust. Fortunately, there is a middle ground that I think provides better security than both; any of the compiled safe languages. A great example is Standard ML; its performance is somewhere between C and C++, it compiles to native code (plus a modest runtime, implementing for instance garbage collection; surely smaller than PaX and Proguard), and has none of the "undefined behavior" that causes security problems in C. Since it's also a higher-level language, programmers get the benefit of writing shorter and more concise code, which gives them more time to both look for high-level security problems that can never be caught by a program, and to optimize the algorithms in their code for better performance. (For a data point: my FTP server written in SML is 2200 lines; wu_ftpd is just under 20,000!) There is no reason why safe languages need a "platform" like the JVM or Mono or .NET. SML compilers simply compile in the runtime checks as regular old machine instructions, and this code is so simple that it's pretty unlikely that they would get it wrong. (About as likely as a particular aspect of your C compiler having a bug, basically.)

So, it's great to make C more secure by adding features to its runtime. I really hope this happens soon so that I don't need to patch my linux box so often. But the Java methodology is not the only alternative. Lightweight compiled languages with built in language security mechanisms do better than both.

Re:Reply from a language-based security zealot...

[bluefoxlucid]

For one thing, unless I am mistaken, C running with these protections does not provide array bounds checking, unless the out-of-bounds writes happen to hit certain places identified as dangerous.

ProPolice rearranges local arrays to float character arrays to the top, other arrays below those, then structures, basic types, and pointers. An overflow in an array can screw with another array; it can't screw with the return pointer or stack frame pointer. That is the exact extent of the protection, no more, no less.

The heap protections probably use guard pages around each array, so they're micro-separated.

Objective-C provides a nice light-weight runtime with object orientation, and a much much much smaller language definition than C++ (do you know ALL of the C++ syntax tricks?). Some of the objects are arrays that can act bounds checked; and they're reference counted too, which is nice. Of course there's a little weight added, not much; and if you mess up the contents of your array objects, the can wind up not being properly terminated. Very nice language all around though.

I'd love to see an effective C reference counting library. Bounds checking in C always takes some measure of work; if you slap down an array, you better know how big it is, either statically or based on a variable. If you know how big it is then there's no excuse for screwing it up. People do though, that's why you need stuff like ProPolice and PHKmalloc

Vast majority of Java does not rely on native code

[Hard_Code]

I can't reply on the blog so I'll reply here:

I'd have to agree that the notion that doing "useful" things in Java requires that "a vast amount of a complex java application's base code is glue to external C and C++ libraries" is ridiculous. Eclipse is the /exception/ to the rule. Besides Eclipse and Azureus, I don't know of ANY other Java desktop applications that use SWT. Those other 99% are most likely using Swing. That is not to mention the server side, in which it is even more ridiculous to suggest a reliance on native code. The Java middleware market is huge and there are some really large, complex applications, none of which rely on native code (sure, some of them /offer/ some extra integration, but you will be laughed out of your marketing pitch if you tell us your Java software has native dependencies).

Re:Vast majority of Java does not rely on native c

[Zeneris]

I had a problem with Azureus crashing the OS, it wasn't the Jave it was some brain damaged swt OpenGL JNI code in a plugin, because the idiots insisted on unsafe swt code instead of safe fast well tested Java 3D code, which uses the faster Direct 3D API on windows! So I will never allow that POS swt code and plugin on my PC again!

Re:Hunh? Does Java even have gets()?

the exploits in `c`

"C" (capitalized, and not surrounded by quotes).

It's all about ease of auditing

[karlm]

The issue is the number of lines of code (assuming rougly equivalent complexity of lines of code) that must be audited in order to be reasonably sure that your code is free from a certain type of bug. (In some domains, "resonably sure" means "formally proven with full documentation" for certain types of bugs.)

With Java, some of the most complicated and historically bug-ridden code is encapsulated in the JVM and re-used by every single program, rather than spread throughout the code, doomed to be reimplemented by every software intern. It's about isolating the parts that people historically are bad at programming, auditing them, and heavily re-using the highly audited implementations.

If you don't trust your virtual machine and/or runtime, then the solution is to use a FOSS (or at least source-available) VM/runtime and audit the security critical portions yourself. On the other hand, very few people would fault you for using the JVM and Java runtime from the EAL-4 version of Solaris (if it contains a JVM and Java runtime... I'm not sure on that part) and just assuming that a Department of Defense EAL-4 audit is more rigorous that the audit you would perform yourself.

C and C++ use manual array bounds checking. Every line of code that uses arrays or pointers must be audited in order to assure reads and writes are in bounds. Once you've audited the (very few) lines of code in the bytecode interpreter and the JIT responsible for inserting bounds checks, you can be sure that out-of-bounds reads and writes will fail in all of your Java code.

C and C++ are weakly statically typed languages. In other words, you can completely bend the type systems by upcasting to (void *) and then perform uchecked downcasts. After you've audited the class loader, you can be sure your Java code is free from such manglings of the type system. The same sort of assurances in C/C++ require auditing all of your code. The author of TFA says that Java loses the strict data-code seperation of PAX. However, the JVMs strict enforcement of type safey already creates strict data-code seperation.

C and C++ use manual allocation and freeing of memory. In very complicated cases, engineers may have no choice but to use third-party automatic memory managers, or implement their own reference counting or other memory management systems. Proving that code does not perform double-frees can be very complicated. On the other hand, with Java code, only an audit of the JVM's garbage collector is required. (Depending on the exact type of garbage collector used, some other code may need to be audited to ensure that some of the representational invariants of the internal object representation are not violated.)