Linked by Thom Holwerda on Wed 10th Oct 2012 23:47 UTC, submitted by MOS6510
Java "Java is a programming language that allows developers to write once and deploy everywhere - from high-end gaming desktops to smartphones. Its OS-agnostic and widespread nature is one of its strongest selling points, but one area where it can fall flat is performance. Generally, Java applications are not going to perform as well as native applications written for a specific OS. However, thanks to Project Sumatra that performance gap may soon become less of an issue."
Thread beginning with comment 538283
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Security
by tracul on Thu 11th Oct 2012 09:16 UTC in reply to "RE: Security"
tracul
Member since:
2011-08-21

However as a local desktop platform I don't think Java deserves too much criticism since the language has never been less secure than native apps in the first place. Consider that anything which manages to break out of the java sandbox through a java vulnerability is still access-limited by the same user-space restrictions as a non-VM language like C. While a vulnerability is disappointing, the worst case scenario is that the java app gains access to the same userland syscalls that a native C app can access anyways.


The difference is that you can write "perfect" java code and still your app will be potentially vulnerable (outside your control), whereas in C[++] it's all about the written code (under your control)

Reply Parent Score: 1

RE[3]: Security
by the_trapper on Thu 11th Oct 2012 11:19 in reply to "RE[2]: Security"
the_trapper Member since:
2005-07-07

The difference is that you can write "perfect" java code and still your app will be potentially vulnerable (outside your control), whereas in C[++] it's all about the written code (under your control)


Until you link against third party libraries. A lot of browser flaws aren't actually Microsoft, Mozilla, or Google's fault. They are due to flaws in things like libjpeg, libpng, or openssl. Java applications are no different, you can think of Java as a big third party library. Even drivers, firmwares, and BIOSes have been known to have remotely exploitable vulnerabilities in them.

As a programmer, you never have all the code "under your control" unless you go to extreme lengths like
designing your own hardware, firmware, and operating system from scratch.

Reply Parent Score: 2

RE[3]: Security
by moondevil on Thu 11th Oct 2012 11:20 in reply to "RE[2]: Security"
moondevil Member since:
2005-07-08

The difference is that you can write "perfect" java code and still your app will be potentially vulnerable (outside your control), whereas in C[++] it's all about the written code (under your control)


Can you enlighten me how are you able to have more control over libc, libstdc++, msvcrt,... than Java developers have over JRE?

Reply Parent Score: 2

RE[3]: Security
by Alfman on Thu 11th Oct 2012 14:52 in reply to "RE[2]: Security"
Alfman Member since:
2011-01-28

tracul,

"The difference is that you can write 'perfect' java code and still your app will be potentially vulnerable (outside your control), whereas in C[++] it's all about the written code (under your control)"

I disagree. A "perfect" ANSI-C program can still be vulnerable to libc bugs (aka malloc, fscanf, etc).

Also, modern C code compilation can be incredibly complex. There are memory barriers, aliasing constraints, auto SIMD/pipelining, overflow assumptions, threading related bugs, etc. A bug or bad assumption in any of these features might be remotely exploitable (ie a JPEG rasterization library).

To the extent that a JIT compiler is more complex, I'll grant you that it is more likely to contain bugs, but bugs are inherently possible whether the code compilation happens ahead of time or at run time.

Reply Parent Score: 2