Linked by Thom Holwerda on Wed 10th Oct 2012 23:47 UTC, submitted by MOS6510
Java "Java is a programming language that allows developers to write once and deploy everywhere - from high-end gaming desktops to smartphones. Its OS-agnostic and widespread nature is one of its strongest selling points, but one area where it can fall flat is performance. Generally, Java applications are not going to perform as well as native applications written for a specific OS. However, thanks to Project Sumatra that performance gap may soon become less of an issue."
Thread beginning with comment 538250
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Security
by Alfman on Thu 11th Oct 2012 04:58 UTC in reply to "RE[2]: Security"
Alfman
Member since:
2011-01-28

kwan_e,


"Except with Java, isn't the vulnerability potentially cross platform? Whereas with native exploits, you'd have to write one for each different platform."

Hmm, I'm not exactly sure what you mean. If you're talking about a vulnerability in code written in java, then yes that would probably be vulnerable on every platform supporting java. However this would not be an instance of a bug in the Java VM, but rather an application specific bug.


If your talking about a vulnerability in the Java VM, then it may or may not be a cross platform vulnerability. Remember that the VM itself is a native application that has to be written to support every target platform. A bug in the just-in-time-compiler for x86 isn't necessarily going to appear in the JIT compiler for x86-64 or ARM.

For the sake of argument though, let's pretend Java contained a backdoor and there was *zero* security in the VM...this would preclude Java as a viable platform for browser applets since malicious websites could gain access to your local account using the backdoor.

Now consider an application you download to run locally, you have the choice of either a native binary or a java version. Can you see why having a backdoor in the Java VM isn't an additional security risk compared to the native version? Even with the VM backdoor, the java application would be on equal footing with the native application security-wise. Both would be subject to the same userspace access as imposed by the kernel.

Reply Parent Score: 2

RE[4]: Security
by moondevil on Thu 11th Oct 2012 05:55 in reply to "RE[3]: Security"
moondevil Member since:
2005-07-08

If your talking about a vulnerability in the Java VM, then it may or may not be a cross platform vulnerability. Remember that the VM itself is a native application that has to be written to support every target platform. A bug in the just-in-time-compiler for x86 isn't necessarily going to appear in the JIT compiler for x86-64 or ARM.


At least in OpenJDK/JVM this might improve when project Graal gets integrated.

Graal is the project to integrate Maxime JIT which is 100% Java code.

The idea is to follow Jikes, Maxime and Squawk VM projects where the Java was used to write the VM, with a very minimal set of native code.

Reply Parent Score: 2

RE[5]: Security
by Alfman on Thu 11th Oct 2012 14:34 in reply to "RE[4]: Security"
Alfman Member since:
2011-01-28

moondevil,

"Graal is the project to integrate Maxime JIT which is 100% Java code."

I wasn't aware, that's very interesting. I wonder how you bootstrap such a thing. Do you need another VM to bootstrap the Maxime JIT's code?

Nice diagram for a project you mentioned:
http://labs.oracle.com/projects/squawk/squawk-rjvm.html


"Even with VM exploits it depends on which VM you are using, there are many more out there, besides Oracle's."

I'm not ready to stop calling it Sun's VM ;)

Reply Parent Score: 2