Linked by Thom Holwerda on Wed 10th Oct 2012 23:47 UTC, submitted by MOS6510
Java "Java is a programming language that allows developers to write once and deploy everywhere - from high-end gaming desktops to smartphones. Its OS-agnostic and widespread nature is one of its strongest selling points, but one area where it can fall flat is performance. Generally, Java applications are not going to perform as well as native applications written for a specific OS. However, thanks to Project Sumatra that performance gap may soon become less of an issue."
Thread beginning with comment 538245
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Security
by kwan_e on Thu 11th Oct 2012 04:01 UTC in reply to "RE: Security"
kwan_e
Member since:
2007-02-18

I'm not a security expert:

While a vulnerability is disappointing, the worst case scenario is that the java app gains access to the same userland syscalls that a native C app can access anyways.


Except with Java, isn't the vulnerability potentially cross platform? Whereas with native exploits, you'd have to write one for each different platform.

Reply Parent Score: 2

RE[3]: Security
by Alfman on Thu 11th Oct 2012 04:58 in reply to "RE[2]: Security"
Alfman Member since:
2011-01-28

kwan_e,


"Except with Java, isn't the vulnerability potentially cross platform? Whereas with native exploits, you'd have to write one for each different platform."

Hmm, I'm not exactly sure what you mean. If you're talking about a vulnerability in code written in java, then yes that would probably be vulnerable on every platform supporting java. However this would not be an instance of a bug in the Java VM, but rather an application specific bug.


If your talking about a vulnerability in the Java VM, then it may or may not be a cross platform vulnerability. Remember that the VM itself is a native application that has to be written to support every target platform. A bug in the just-in-time-compiler for x86 isn't necessarily going to appear in the JIT compiler for x86-64 or ARM.

For the sake of argument though, let's pretend Java contained a backdoor and there was *zero* security in the VM...this would preclude Java as a viable platform for browser applets since malicious websites could gain access to your local account using the backdoor.

Now consider an application you download to run locally, you have the choice of either a native binary or a java version. Can you see why having a backdoor in the Java VM isn't an additional security risk compared to the native version? Even with the VM backdoor, the java application would be on equal footing with the native application security-wise. Both would be subject to the same userspace access as imposed by the kernel.

Reply Parent Score: 2

RE[4]: Security
by moondevil on Thu 11th Oct 2012 05:55 in reply to "RE[3]: Security"
moondevil Member since:
2005-07-08

If your talking about a vulnerability in the Java VM, then it may or may not be a cross platform vulnerability. Remember that the VM itself is a native application that has to be written to support every target platform. A bug in the just-in-time-compiler for x86 isn't necessarily going to appear in the JIT compiler for x86-64 or ARM.


At least in OpenJDK/JVM this might improve when project Graal gets integrated.

Graal is the project to integrate Maxime JIT which is 100% Java code.

The idea is to follow Jikes, Maxime and Squawk VM projects where the Java was used to write the VM, with a very minimal set of native code.

Reply Parent Score: 2

RE[3]: Security
by JAlexoid on Thu 11th Oct 2012 12:25 in reply to "RE[2]: Security"
JAlexoid Member since:
2009-05-19

Except with Java, isn't the vulnerability potentially cross platform?

You have to break out of the sandbox and what you do afterwards is platform dependent.

Reply Parent Score: 2

RE[4]: Security
by kwan_e on Thu 11th Oct 2012 15:20 in reply to "RE[3]: Security"
kwan_e Member since:
2007-02-18

"Except with Java, isn't the vulnerability potentially cross platform?

You have to break out of the sandbox and what you do afterwards is platform dependent.
"

But does it? If a Java vulnerability allows the VM itself to be controlled, the exploit can just run Java code with full permissions.

Much like how in the past, MS Office's Visual Basic potentially allowed malware to run on a Mac (again, not a security expert, so I don't know if it ended up being just hype, like Y2K).

Reply Parent Score: 2