(keitai-l) Re: Java running into trouble on cell phones?

From: James Santagata <jsanta_at_audiencetrax.com>
Date: 09/05/02
Message-ID: <016f01c25501$b3087780$0201a8c0@ix.netcom.com>
>From: "Curt Sampson" <cjs@cynic.net>
>
> On Wed, 4 Sep 2002, James Santagata wrote:
>
> > ...although I was never certain how a poorly written
> > Java program was superior to a well written C or perl program.
>
> The well written C program has (usually exploitable) buffer overlows.
> The Java program doesn't.

Security, although important, is not and should not be the only
consideration in choosing a  programming language.

Sun has clearly positioned it's product as
"write once, run everywhere". My experience and
that of other's shows that to be McNealy reaching for
the sky -- and this from a guy that loves to bash Gates.

As I mentioned early there are issues of performance, scalability,
cost to maintain, pool of available engineers and so on.

In addition, Java is not the solution for every app, it used
to and may still say, "Not to be used for mission critical apps
like Nuclear facilities and aerospace."

As far a buffer overflows are concerned they are not the
only exploit that can be made nor necessarily the
most important.

A poorly written or implemented Java program (or JVM)
can still allow exploits, for instance, by not restricting
certain input that may be passed to the database
or other programs, allowing files to be moved with insecure
protocols such as FTP rather than using HTTPS, SSH,
PSCP, etc.

In addition, there may be other exploits available outside of the
programming used, in which the network is improperly designed or
the firewall is not properly configured, etc.

In addition, on client side Java, the  JVM itself is a risk,
since it is written in C (at least on my Windows box).
Yes, C may be the problem with a buffer overflow,
but the fact is the JVM is a requisite part of the
system.

Here are some 126 known Java exploits from CERT. It clearly
illustrates my point, that security is simply as good
as the weakest link in the chain. Lots of JVM and other
exploits and it only takes one for damage to be done.

http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&q
m=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&qt=java&col=allcert


 > More than 80% of security reports I see are the exploitable or
> potentially exploitable bugs that allow malicious code to be
> downloaded and run on your computer. Not one of these bugs could
> ever have existed in the program if it had been written in Java.
>
> Java has its problems, certainly, but C is the cause of far more.

What are the other 20% of the security reports related to?
I would submit that most if not all bugs are caused by
humans when writing code (byte code or JVMs) rather
than an underlying problem with the language used.


James Santagata

A U D I E N C E T R A X
http://www.audiencetrax.com
Received on Thu Sep 5 20:29:56 2002