Wednesday, October 12, 2005

Java v. C continued

Looks like I got slashdotted on that one. I wasn't trying to particularly bash Java, more the concept of one language being "secure" over another. Java just makes a good example of a language people believe will solve all their problems for them.

With the responses I've seen both here and on slashdot, I feel I should make a follow-up post. I'll point out a few interesting things that have arisen, and let the wolves at it again.

The major thing I'd like to point out is that, especially on Slashdot, most of the replies seemed to argue from the point of vanilla C on a vanilla system versus Java. This may partly be my fault for using Java as a major target in the argument; but I did discuss vanilla language C programs using a hardened compiler on a hardened system. This was my argument, and I'd appreciate it if people would take time to comprehend the context before replying half-assed to some other similar but distinctly different argument. Once again, the blog was about C compiled using a hardened compiler, run in a hardened operating system environment.

Another interesting point was that certain attacks are still possible in Java. These include SQL injection and cross site scripting, something not inherantly C; although C programs could certainly use SQL libraries or script language parsers that would be vulnerable. Script languages also come to mind, immune to buffer overflows but rabidly vulnerable to XSS; efforts like Hardened PHP work to reduce the risks here.

One major argument which kept resurfacing was that C is insecure because of pointer math and explicit memory management. I'd like to restate here that the environments discussed minimize the possible damage of bad pointer use; you can't modify existing code as one comment alluded to, and you can't execute data such as the stack or heap. The address space layout randomization makes sure that attackers who can control pointers and such at least can't figure out where to point them because everything moves around every time the program is run.

On the same topic, what's so hard about manually managing memory? You can create functions or, if you fancy C++ or Objective-C, classes to manage your linked lists and memory objects. Calling these will abstract the memory management from most of your code. I guess in something that abstracts direct memory management from you, you'd either do the same thing minus malloc() and free() calls; or just haphazardly write the same 2-3 lines of allocation code everywhere, which is probably really a bad thing anyway for maintainability in the more significant cases.

In either case I've never seen any reason why it's not clear when to free() memory, unless you somehow made it behave like a relational database with lots of concurrent areas of code somehow accessing it at the same time in unrelated ways. Typically though I'd think that you'd have some reason to remove an object; and at that time, destroy all resources such as threads that drive the object, and free the object. I guess it's possible if you searched an object out and are working on it in a separate thread, but I can't think of a practical application for this.

At any rate the blog wasn't on programming symantics like explicit memory management; it was on security. I just felt like going off on a tangent to ponder the quandary of why people have trouble with memory management. Pehraps a light weight reference counting library would help; I still have an aversion to garbage collectors because I worry that they may wander the heap back and forth (this is how Boehm was described to me) and thus in times of high memory usage could cause swap thrashing if used on a large scale.

7 Comments:

Blogger wow power leveling said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:49 PM  
Blogger ally said...

MBT will not only change,MBT boots,the way you use your MTB Shoes,What are the benefits?christian dior,Free shipping and free return shippingdior shoes,on all diorIncluded with each pair ofdior handbags,an instructional DVDWhat is Dior?dior sunglasses,look at another good paoduct such as Dior totesDo not worryThe urge to buy these goodsnew balancerevolutionary fitness aid from Swiss Masai,new balance shoes,which may help reduce cellulite andnew balance outlet,transforms flat hard artificial surfaces Puma Shoes, with top quality and cheap price. puma outlet,innovative sole design includes thePuma Sneaker,Here you can buy wide rangewholesale cl high heel sandalsquality and cheap car GPS navigation systemsMoncler,Very Cool, Comfortable and lightmoncler jacketsoriginal packing you can rest assured.moncler coatsYou might say that thediscount moncler vestNo one ever thought bothmoncler outlet,As with everything that comes fmonmoncler t-shirtThe new store has been decorated.north faceWe are offering you a wide range ofnorth face outletSome color combinations seem to getnorthfaceBut within the same community north face jacketsbecause it features just the right amount of north face coats,A little of these are given below.ugg bootswas a very well-known French fashionable boot,cheap ugg bootsbecause of the wisdom featuresdiscount ugg bootswhich you are buying is uniqueclassic ugg bootsthey obtain materials from domestic suppliers ugg classic tall boots,A stroll around the park with the GHD IV Salon Styler,We are offering you coach outlet,our store has been decorated coach handbags,Nicecoach totes

3:19 AM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:02 AM  
Blogger escort said...

Awesome blog Adam!! deneme linki I saw you all in Buffalo and the show was incredible, turkey hotels the best I've ever seen and I can't wait to see the show again in Rochester! It's so great to hear you're having a good time. escort bayanlar met you in Cleveland and you seemed so escort istanbul If things go my way, I'll be able to catch up with chat siteleri toptan mallar satış sitesi toptan mallar deneme ist escorts

derteg deneme istanbul escort

9:22 PM  
Blogger joseph reynolds said...

Imagine that the WoW Gold has been run out when you are playing in full swing.This must be the worst thing ever happened to you. At this moment, the instant way to buy cheap World of Warcraft Gold is at GamesWorth. Our safe and fast delivery has won us a worldwide reputation.

1:24 AM  
Blogger hường lê said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.

Discover our website bounty of free online games now!
Our website has the biggest collection of free online games. Totally new games are added every day!

age of war 2
gold Miner 2
unfair Mario 2
cubefield 2
tanki Online 2



5:16 AM  
Blogger Alice Denny said...

The blog or and best that is extremely useful to keep I can share the ideas. Age Of War 2
Big Farm | Slitherio | Tank Trouble
Of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much.
Happy Wheels | Goodgeme Empire | Slither.io


5:17 AM  

Post a Comment

<< Home