Java or C: Is One More Secure?

bluefoxlucid writes "Security has been a hot topic lately, and we've seen everything from changes to how memory is managed to compiler hardening to "secure" programming languages. Java is considered more secure than C in general; but this guy seems to disagree, and thinks hardening the system itself is the way to go. Are we really approaching the problem the wrong way, or is he just insane?"

C stack protection might help

[Moxon]

Apparently there will be a port of IBMs stack protector in GCC 4.1. Might be interesting to see how that changes matters.

Not applicable

[RingDev]

By design C allows you to access memory at your own descretion. I beleive Java does also (It's been a while), which means neither is a 'secure' programing language. This would be like asking if Fords or Chevys are safer because one uses tig welding and the other uses mig welding. It completely matters on how the code is used. You can write your own memory editor in C (and I beleive Java). Which would make them fundamentally unsecure. C has the advantage that you have to write your own code, so you can make sure it is bug and security flaw free (cha right, and monkeys might fly from my ass!) where as Java comes with libraries. No need to recreate the string. Which saves you tons of dev time, but now you depend on someone else's code review. With that in mind, I'd say Java has a slight edge, just because more people are testing the Java libraries then your custom made objects.

-Rick

Re:Not applicable

[MaggieL]

By design C allows you to access memory at your own descretion. I beleive Java does also (It's been a while)

Sounds like it's not so much a matter of how *long* it's been since you had the one course in Java you were required to take to graduate, but rather how much attention you paid while you were there.

Re:Not applicable

[lexarius]

Except that you can't do pointer math in Java. Java references are opaque and cannot be manipulated.

Re:Not applicable

[MaggieL]

It's been years, and I can't remember what specific limitations there are.

Then maybe you should consider posting only about things you actually do remeber. The set of languages that can be used for malicious resaons includes English.

Re:Not applicable

[MaggieL]

Ignorance-based relativism doesn't really further the discussion. It's really hard for you to say anything of merit about something you don't understand.

In point of fact Java architecture contributes significantly to making it easier to write secure applications (as it also improves reliability); hand-waving that "bad stuff can happen in either language" is semantically null.

You *can* crash *any* car, but, by design, some are clearly safer than others.

Poor article

[ChrisRijk]

The author points out there's some tools and run-time environment features you could use to help secure C/C++ binaries. Nothing new there. Then based on some FUD and hand-waving arguments he predicts that with all these extra bits that C can be made more secure than standard Java.

The thing is though, C is still insecure as standard, while Java is still secure by design (and has shown to be in practice). Not that there's an idiot proof general purpose programing language/environment out there - being "secure by design" doesn't make something 100% secure.

He is insane.

[dascandy]

TFA talks about C being just as secure with protection bits, claiming that use of stack-protection stuff is going to increase programmer and company awareness and willingness to fix bugs. They can fix the bugs, it's going to make it easier, but the inverse is what will happen. Instead of better software coming out, less time is spent on fixing that kind of bugs "since the protector will catch it anyway". Why bother fixing something that doesn't crash the program?

On the other hand, if you convert all these soft errors to hard errors (instead of a program doing something softly off-balance to a rigorous crash) they'll be fixed faster. Yet still, just teach the programmers to program.

Oh, and please do give all books about programming you have left to EA. They appear to be hiring kids between 12 and 16 since they're cheaper, judging by the quality of their software. I can't even run NFS3 in opengl mode since my video card isn't supported... no, the pre-pre-pre-pre-pre-predecessor was.

Seems reasonable

[Grab]

The major source of security bugs in C and C++ is lazy programmers.

Our company has an in-house rule - "if it returns an error status, you check it". Why? Because most really nasty bugs arise from failure to check this. If you're lucky, this will just result in unexpected crashes. If you're unlucky, you get buffer overruns and remote code execution.

Why do programmers not check this? I'm convinced it comes down to how you're taught. I went through a good dozen C and C++ tutorials when I was learning them. I've been through a few more since, teaching other people. And I've *never* seen a textbook that includes a check on the results of a malloc() call being NULL. Yes I know the argument is "it'll make the examples harder to read". That's a fair point, in a hello-world program. But by the time you get to using malloc(), you should know enough to handle a little complexity. The books just don't cover it though. Not only do they simplify the examples, but they don't mention that they're simplifying. As a result, it's an issue that too many coders don't realise exists.

If coders get some good mentors at work, to show them how this *should* be done, then fine. But I don't think that happens either - code review is not a way of life for most companies. So they just go their merry way until their code falls over in a heap, and then wonder what to do about it.

Python is generally quicker to write than Java, and Java is generally quicker to write than C++, and C++ is generally quicker to write than C, simply because each step along the line does most of that work for you. But that generally comes at the cost of increased overhead (code size, execution time or both). And even then it's worth knowing what's happening underneath, because if you don't then it *will* bite you sometime. Neither of these is more secure than the other though, assuming the coder knows what they're doing.

Grab.

Re:Seems reasonable

[node+3]

The major source of security bugs in C and C++ is lazy programmers.

Why is that whenever a technology is flawed or otherwise lacking, the blame is put on the end user?

It makes me think that in a debate over the merits of putting a safety on a gun, these same people would say it makes the gun unnecessarily complex, expensive, prone to failure and just plain gets in the way when you really, really need that extra bit of performance, and besides, anyone who accidentally shoots themselves (or someone else) with a gun is an idiot in the first place.

The fact is that there is a security issue which *can* be fixed by each individual programmer, which both reality and the normal distribution curve demonstrate won't be universal, or can be fixed by the compiler, which will work 100% of the time that option is used (assuming the compiler implements the feature properly).

So, given the security issue exists, which solution is more likely to take hold: better (and more time consuming) programming practices will spread 'cross the land, or a compiler feature will fix the problem across the board?

Sure, it would be nice if programmers (and everyone, really) did their jobs "better", but it's foolish to expect it. It's better to fix the system itself because not only will it eliminate the problem, it will save the programmer from an unnecessary tedium, giving them more time to devote to actual features and other improvements.

Re:Seems reasonable

[laptop006]

So you check the return value from printf?

From the man page:
These functions return the number of characters printed (not including the trailing `\0' used to end output to strings). snprintf and vsnprintf do not write more than size bytes (including the trailing '\0'), and return -1 if the output was truncated due to this limit. (Thus until glibc 2.0.6. Since glibc 2.1 these functions follow the C99 standard and return the number of characters (excluding the trailing '\0') which would have been written to the final string if enough space had been available.)

Re:Seems reasonable

[moro_666]

i agree, each language is as secure as the developer coding style is. java is forcing on the check of error conditions with exceptions, you need the try{}catch(){} blocks, so does python. but C doesnt really care if you even check the return value of your malloc (this probably the most common bug around :D). C leaves a lot up to the programmer (Java arrays always know their length by themselves for example).

For an average young programmer, making mistakes in C is alot easier than to do mistakes in Java. But this still doesnt make java/python/ really secure, the virtual machine executing the code can still make mistakes.

If you want to have a secore application use common sense and good planning with enough foresight. I guess that more than 50% of all the bugs come from dirty add-ons and quick-hacks to make smth work. Stuff that is written in a rush and without long planning, often backfires, and sometimes in places where none notices it until it's too late.

The author of TFA howeves is totally incompetent on the security manager theme as it seems. Java can have very very very many restrictive security measures applied that makes it basically unable to do much from the byte code (deny filesystem access, network access, classloader access etc.), whereas unless you override the standard C calls with a preload, the C application is prone to all kinds of mistakes all over the place. If in doubt, check the java security api before "bashing" back on this one.

Btw. has slashdot really nothing better to do that to publish these bashing articles like this ? Java and C aren't really comparable in very very many ways. It's a lot better than comparing php and java ofcourse, but still, it's an unfair comparisment. C can do stuff that java can't do (interrupts to devices, all kind of low-level stuff), java can do stuff that C can't do (execute the same bytecode on different architectures and machines and operating systems). Nobody really wants to implement a big banking website in C and nobody wants to write a kernel in Java. The fact that poker and solitaire are both cardgames really gives us no opportunity to compare them just because they both use the same set of cards.

Knowledge

[GerritHoll]

Isn't the best way to go to program in a language one is experienced in?

Here's a hint..

[Improv]

People who can't spell words in the English language like "aggravate" might not be the best people to look for deep and insightful attacks on what everybody else agrees on. I'm not saying that having good spelling would make his point any more valid, but it should at least be a rule of thumb for those who can't bother to think about his point on their own (as the poster of this article can't).

To get more into it, yes, the C runtime is smaller than the Java runtime, and there is a certain trustworthiness in having your code small. However, languages like C where the basic type system requires a lot of care to avoid bugs starts you off considerably behind just having a large runtime. In C, it requires almost no thought at all to write insecure code, and to do some things securely requires chunks of wrapper code around most things involving IO layers, wrapper code that is not program logic and can have bugs. In higher-level languages, the user won't be writing that code -- the engineers at Sun will, and because that code gets exercised by the entire world, its bugs will be found and removed very quickly.

Of course, in both cases, we're not really talking about the language being secure, we're talking about how likely it is that, given equivalent tasks, people using the different languages will end up writing secure code. To weigh that, we all use rules of thumb based on what we know causes errors -- he invokes bulk of code, but doesn't think about how the used code in that bulk will need to be written anyway and will be reused by every Java programmer. As I said before, I think a caveat-emptor type system is another major factor to be considered. Other (generally obvious) rules of thumb that go against this guy are left as an exercise for the reader.

Re:Stupid troll.

[reynaert]

And C++ doesn't have exceptions and stuff? Java is just as insecure as C/C++. It's just insecure in different ways.

I'd like to see one of those kernel-based systems make a C++ program throw an exception. Well, I guess signalling SIGSEGV kind of counts.

As others have said, most bugs and security flaws come from lazy programmers not doing the right thing.

You say that as if doing proper manual memory management is easy. It's not: that has been sufficiently demonstrated over the past few decades. Since automatic memory management is possible and cheap, it stupid not to use it.

I'd also like to see you run Java in a lightweight embedded DSP situation!

While current Java environments don't optimise for speed (instead relying on fancy JVM's), there's no reason why you couldn't compile Java to efficient machine code.

Garbage Collection Misunderstood

[MobyDisk]

This more pertains to yesterday's article on performance, but it relates to Java in general.

I see lots of articles saying how garbage collection prevents memory leaks and provides security improvements. That is a slight misunderstanding: The automatic memory management is what makes it secure, not the garbage collection. The garbage collector is merely HOW the memory is freed. If Java eliminated the garbage collector and freed the memory immediately the language would be equally secure. What matters is that you don't have access to pointers.

For example, take Visual Basic 6: This language does not have garbage collection, but it is about as safe as Java. It frees memory/objects that aren't used, uses bounds checking, doesn't allow bad casts, and doesn't use pointers. The only time VB6 is a problem is when you call an outside library (which is the same problem you have in Java). So it isn't the garbage collector that matters.

Inherently, a language with access to pointers is always going to be less secure than a language that does not have them, and uses automatic memory management. None of the security enhancements to the compiler can change code that assigns a pointer to the wrong object and overwrites the memory for it. None of them can prevent a bad cast from screwing things up.

valgrind rocks

[oo_waratah]

Stack protection really is the next big step and like ports from WIndows typically the difficulties is broken code that is just allowed. Stack protection is going to cost developers dearly and it is likely that it will be disabled if there is an option rather than paying the cost on the very software that needs it the most.

I have used valgrind on production code that has been working 8 years. I found multiple protections, uninitialised variables in this code. Anyone coding C and not using valgrind in the testing cycle is not using their head.

I switched to Perl because there were no memory allocation problems like this.