undefined | Better HN

0 pointsDed7xSEoPKYNsDd11y ago0 comments

> We only have to look at all the patches for java to see that it hasn't been secure.

All those big security issues aren't in the Java language, they are in the JVM running untrusted Java byte code. Not to say that situation isn't bad, but you can't compare it to C++ because nobody ever thought running untrusted C++ code without some other sandboxing was a good idea.

That aside, memory safety is great for security. Of course there are 1000 other things that are important, too, and so I'd trust a C program written by a security expert much more then the same program written by someone who thinks his program is secure because he used Java. But I'd feel even better if the security expert used a memory-safe language because I am certain that all C programs above a certain size are vulnerable to memory attacks.

0 comments

7 comments · 1 top-level

AnthonyMouse11y ago· 6 in thread

> Not to say that situation isn't bad, but you can't compare it to C++ because nobody ever thought running untrusted C++ code without some other sandboxing was a good idea.

This is actually kind of a point for the other side. You can sandbox code regardless of what language it's written in. Maybe what we need is not better languages but better sandboxes. Even when code is "trusted", if the developer knows it doesn't need to e.g. write to the filesystem or bind any sockets then it should never do those things and if it does the OS should deny access if not kill it immediately.

Already__Taken11y ago

Isn't this exactly what SELinux does but nobody bothers to configure the rules?

jiffytick11y ago

But sandboxing does nothing to protect information if the information resides in the sandbox (sandboxing wouldn't have stopped heartbleed).

Rust and friends would aren't going to make all securty issues go away, just as sandboxing would not. There is no one true silver bullet in securty, at least not yet.

Ded7xSEoPKYNsDdOP11y ago

> This is actually kind of a point for the other side.

I wanted to move the goalpost from "Java is insecure" to "the Java sandbox is insecure". I completely agree with the second statement, so I don't think I made a point for any other side.

trippy_biscuits11y ago

You made the point that I was trying to make: implementations are not secure. A programming language can follow a philosophy but implementations never quite line up with the theory. We only use implementations of the theory and experience shows that implementations all have vulnerabilities.

1 more reply

xorcist11y ago

True, and a malfunctioning sandbox is worse than useless.

People tend to base security on them. Google did in their AppEngine cloud, but they put a lot of engineering resources and defence-in-depth behind it.

Padding11y ago

> a malfunctioning sandbox is worse than useless

Are there any sandboxes in existence which are definitely not worse than useless?

1 more reply

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

AnthonyMouse11y ago· 6 in thread

> Not to say that situation isn't bad, but you can't compare it to C++ because nobody ever thought running untrusted C++ code without some other sandboxing was a good idea.

Already__Taken11y ago

Isn't this exactly what SELinux does but nobody bothers to configure the rules?

jiffytick11y ago

But sandboxing does nothing to protect information if the information resides in the sandbox (sandboxing wouldn't have stopped heartbleed).

Rust and friends would aren't going to make all securty issues go away, just as sandboxing would not. There is no one true silver bullet in securty, at least not yet.

Ded7xSEoPKYNsDdOP11y ago

> This is actually kind of a point for the other side.

I wanted to move the goalpost from "Java is insecure" to "the Java sandbox is insecure". I completely agree with the second statement, so I don't think I made a point for any other side.

trippy_biscuits11y ago

1 more reply

xorcist11y ago

True, and a malfunctioning sandbox is worse than useless.

People tend to base security on them. Google did in their AppEngine cloud, but they put a lot of engineering resources and defence-in-depth behind it.

Padding11y ago

> a malfunctioning sandbox is worse than useless

Are there any sandboxes in existence which are definitely not worse than useless?

1 more reply

j / k navigate · click thread line to collapse