tags:

views:

249

answers:

7
+2  Q: 

Why is Java labeled as a "secure" language?

I guess this is a general question, but I am going through introductory courses to java (SE/ME) and the study material claims that java is often used for "security purposes". It does not explain however what they mean by claiming that java incorporates good security.

Is it hacker proof? Does it produce highly stable software? What?

Security from my point of view (at the moment) is that it's in the hands of the developer writing the code, not the language itself?

+1  A: 

Because Java compiles as bytecode which then runs inside a Virtual machine, it cannot access the computer it runs on like a natively compiled program can.

littlegreen  2010-10-08 19:25:45
This is the same as .net code that compiles to IL and runs in the .net runtime.
Shiraz Bhaiji  2010-10-08 19:31:40
Technically not true, since you can use JNI to access native calls to the system, and a java program can still wreak havoc on a system - deleting files, executing command-line arguments, etc.
aperkins  2010-10-08 19:32:41
+7  A: 

IMHO, that's a very misleading statement. In Java, you cannot access out-of-bound arrays, and you don't have pointers, and thus several security flaws like stack corruption or buffer overflow is impossible to exploit in Java. But Java is not inherently more secure than any other language; it's just there is less chance to make mistakes that can cause security flaws. In effect, this reduces security flaws, but it's totally misleading to say Java is secure.

Lie Ryan  2010-10-08 19:26:06
Usually, when people say Java is "Secure" it is for exactly the reasons that you are stating - out of bound arrays and poor pointer arithmetic being two common security errors in C code.
aperkins  2010-10-08 19:28:37
It's more secure in the sense, that the chances are lower to compromise the system which is running the Java VM (the sandbox). What Lie Ryan ment is, that it doesn't make the application itself more secure. i.e. you can still have SQL injections, if you forge your SQL queries yourself and don't escape it correctly and similar "security" mistakes
Tseng  2010-10-08 19:37:43
@Lie Ryan: so getting rid of what used to be **THE** most common cause of security issues (buffer overrun/overflow) isn't being inherently more secure than, say, C? You are contradicting yourself in your own answer: *"Java is not inherently more secure than any other language"* (wrong) and *"In effect, this reduces security flaws"* (correct). So what do you choose? It is **NOT** because you don't guard against all security issues that you are not more secure than other languages. Good luck escaping the VM Lie Ryan ;)
Webinator  2010-10-09 08:32:36
@Webinator, you're presuming an up-to-date JVM, which is **not** a safe presumption. Old JVMs are *easy* to escape. [This is an increasingly common problem.](http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx)
Craig Stuntz  2010-10-18 20:24:39
+1  A: 

The general reason why Java is considered to be more secure than, say C, is because it handles memory management for you. In other languages, programmers allocate their own memory and often fail to do it correctly, causing buffer overflows, etc. Of course the Java VM could still contain the very same types of bugs, but it's well tested over time, unlike every user written program.

So in that respect, it is more secure. But you can still write insecure code, because no language could ever protect you from writing just plainly erroneous code.

konforce  2010-10-08 19:28:36
+2  A: 

Several languages, most notably C and C++, have a class of bugs that can allow arbitary code to be executed when exploited - such bugs are quite common, and they're easy to make. These bugs are often some form of buffer overflow .

Java, and many other languages/platforms eliminate that class of bugs(bar potential exploitable bugs in the VM itself), which many will claim makes it more secure.

nos  2010-10-08 19:29:15
+5  A: 

There are two things that make Java "more secure" than other language in certain aspects:

  • Automatic array bounds checking and the lack of manual memory management make certain classes of programming mistakes that often cause serious security holes (such as buffer overruns) impossible. Most other modern languages share this feature, but C and C++, which were dominant (and still are major) application development languages at the time Java first appeared, do not.
  • The Security Manager concept makes it relatively easy to run Java applications in a "sandbox" that prevents them from doing any harm to the system they are running on. This played an important part in promoting Java during its early days, since Applets were envisioned as a ubiquitous, safe way to have client-side web applications.
Michael Borgwardt  2010-10-08 19:30:19
The security manager is broader than that, and still useful. You can assign different permissions to different codebases. This is very handy when you download some code.
Andy Thomas-Cramer  2010-10-08 19:39:07
I've heard wild rumors that it's not that hard to escape from the sandbox.
Sami Koivu  2010-10-08 23:59:59
@Sami: there probably are Java versions where it's possible; JVMs have to get regular security updates like any other big, security-relevant software package. But there are definitely no generic sandbox-breaking methods.
Michael Borgwardt  2010-10-09 07:12:29
@Michael Borgwardt: Sorry, that was a bit of a tongue-in-cheek comment. But actually, it's almost trivial to escape from the sandbox in versions that are not the latest. There are normally no publicly known methods to escape from the sandbox of the latest version, but I wouldn't put too much trust on it.
Sami Koivu  2010-10-09 21:42:54
+1 @Sami. See, e.g., [Java: A Gift to Exploit Pack Makers](http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/) "...attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities."
Craig Stuntz  2010-10-11 17:38:52
+1  A: 

There is a nice overview at http://download.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html .

Some examples:

  • No buffer-overflow exploits
  • Byte-code verification
  • Security permissions for different codebases
  • Security-related APIs
Andy Thomas-Cramer  2010-10-08 19:43:40
+1  A: 

It is marketing)

Stas  2010-10-08 20:01:11

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java