Gosling Claims Huge Security Hole in .NET

renai42 writes "Java creator James Gosling this week called Microsoft's decision to support C and C++ in the common language runtime in .NET one of the 'biggest and most offensive mistakes that they could have made.' Gosling further commented that by including the two languages into Microsoft's software development platform, the company 'has left open a security hole large enough to drive many, many large trucks through.'" Note that this isn't a particular vulnerability, just a system of typing that makes it easy to introduce vulnerabilities, which last time I checked, all C programmers deal with.

Phew!

[rackhamh]

Good thing Linux isn't written in...

Oh. Never mind!

Re:Phew!

[DrLZRDMN]

Its good to run c code on your machine. You don't want applets running it.

Re:Phew!

[ArbitraryConstant]

C/C++ programs have terrible security track records. They're behind basically every arbitrary code exploit out there. That class of bug just doesn't happen in managed languages. And I don't mean just Java and .NET. An open source example is Python.

Re:Phew!

[DrLZRDMN]

Id like to see a kernel written in either language.

Re:Phew!

[bnenning]

Id like to see a kernel written in either language.

Fair enough, but at least 90% of the stuff written in C and C++ doesn't need to be.

Re:Phew!

[andreyw]

No offense, but give a fool a hammer and he'll crack his skull. C is not inherently insecure. C++ is not inherently insecure. If you don't know how to program, please step aside and let others through. I am not some sort of anti-managed-language zealot, I love Python, but to claim that C *as a language* has a terrible security track record is ridiculous. The applications, not the language, might have a terrible track record due to the ineptness of the programmer.

I mean seriously, this is like claiming ASSEMBLY is a worthless insecure language because you can hang the system while in supervisor mode, due to ineptness? Sheesh.

Re:Phew!

[pivo]

I think the point is that it's much easier to inadvertently create security holes when you write code in lower level languages like C. Lots of excellent programmers have written code with security problems, simply because they're focusing on making their code work and not thinking about security. It's an extremely common problem, and while it may be a problem with the developer's focus, it's not generally a problem of low skill levels.

Re:Phew!

[bluGill]

I'd like to point out that in this day and age most C programmers have heard about the problems and make some effort to prevent them. While programmers in "safe" languages (VB) generally have not heard of these problems, so while they are harder to create, those programmers are also less likely to recognize them. In fact problems in C are generally minor mistakes that are easy (though tedious) to fix, while in the other languages the same problem tends to be major design level issues that are hard to co

Re:Phew!

[dasunt]

Just imagine how secure the world would be if we wrote everything in PHP! :)

Re:Phew!

[andreyw]

Did I just DROP an important SQL table? ;-) ;-)

Re:Phew!

[owlstead]

Pffft, I am working with a couple of high grade C++ programmers. When they go down using pointers etc. you can be sure they introduce some overflow errors. You need at least a code checker to make sure that the most common mistakes are avoided. This is like saying that Internet Explorer is not insecure, as long as you visit the right web-sites.

For most applications assembly is a worthless insecure language, and you should stick to a higher level language if you don't want to introduce problems (for anything larger, but probably including "hello world").

Re:Phew!

[Transcendent]

Pffft, I am working with a couple of high grade C++ programmers. When they go down using pointers etc. you can be sure they introduce some overflow errors.

Are they really that high grade then?

Re:Phew!

[Brandybuck]

Then they're not "high grade". If you need to use strings, you use the string class. If you need to use a bounded array you use the STL vector. If you can't use the STL, you guard your arrays. Those three things, which are normal "high grade" C++ coding style, avoids the vast majority of potential overflows.

Re:Phew!

[That's Unpossible!]

No offense, but give a fool a hammer and he'll crack his skull.

Give a man a gun, and he can kill many people with it.

Give that same man a pencil and... eh, not so much.

Re:Phew!

[ArbitraryConstant]

"No offense, but give a fool a hammer and he'll crack his skull. C is not inherently insecure. C++ is not inherently insecure. If you don't know how to program, please step aside and let others through. I am not some sort of anti-managed-language zealot, I love Python, but to claim that C *as a language* has a terrible security track record is ridiculous. The applications, not the language, might have a terrible track record due to the ineptness of the programmer."

That's just restating the question.

If managed languages make a certain class of exploits impossible or very unlikely while C doesn't, then C is insecure relative to those languages.

A good C programmer might be able to cut the exploit rate down to some very small value, but they're going to work pretty hard to get to that point while people in managed languages get it for free. And good C programmers still fuck up sometimes.

Of course, there's other ways to screw up. No language is immune from security problems. Using a "managed" language is nothing more than risk management, but it's pretty effective.

Re:Phew!

[timeOday]

No offense, but give a fool a hammer and he'll crack his skull. C is not inherently insecure. C++ is not inherently insecure. If you don't know how to program, please step aside and let others through.

No, the programmer is irrelevant to this argument. Pick any programmer you like, any one in the world. He will make mistakes at some rate. In C, those bugs will translate directly to security holes, whereas in a typesafe language they will not. It's just that simple.

Re:Phew!

[jtshaw]

It is true, any programmer, no matter how good, will make a mistake here and there. However, buffer overflows and such in a single program don't have to be the security nightmare that they often are these days.

It all comes down to bad OS design in general. Take the IE exploits for example. Why the heck can you get so much system access through an exploit in a web browser?!? Lets be honest here, the security model employed in most of today's OS's is mind boggling in it's ineptness.

Linux is not immune e

Re:Phew!

[Brandybuck]

All programming mistakes are security holes, because any software that doesn't behave as intended is a security hole. They might not all grant root access to random passerbys, but they are security holes nonetheless.

Anecdote time. After five years of working on a million+ line C/C++ codebase, I ran across my first buffer overflow last monday. I've seen many potential buffer overflows (and fixed them when I found them), but this was the first I've seen actually get thrown over the wall to QA.

If buffer over

Different != Better

[EventHorizon]

Incompetence leads to trouble in any language. For instance, a recursive function which does not enforce a recursion limit may:

- segfault in C
- throw an unhandled exception in python
- churn up 2GB swap in java (or something similar)

In any case, think DoS. The solution is to program competently, regardless of language.

Re:Phew!

[tomstdenis]

How did your post get insightful?

buffer overflows are not the only kind of bug that plagues development. quite a few "plain old logic errors" or "insecure designs" are source of problems.

I mean I just reinstalled pam last night [for the second day in a row... diff versions] with maybe 20 patches applied to it. I doubt all 20 [or any at all] were due to buffer overflows.

A proper programmer would do proper bounds checking on their own [e.g. I need to store N bytes, do I have N bytes available]. People w

Re:Phew!

[HiThere]

Actually, C *is* inherrently insecure. You are required to use unbounded pointers. And, yes, assembly language is insecure in exactly the same way.

It would help if C automatically initialized ram (and I've known at least one C that did, but it isn't a part of the language specs), just like it helps not to be able to use 0 as a pointer address. But the only thing that would make C safe would be to put it in a box, and not let it look outside. Even then you'd get buffer overflows within the code, but if

Re:Phew!

[jilles]

ASSEMBLY is a totally inappropriate language for the vast majority of applications, including operating system kernels, video card drivers and games. The complexity and security tradeoff simply doesn't justify the performance gains. That's why it isn't used anymore in most of the software industry. The same is true to a lesser extent for C and C++.

These languages are inherently insecure because they allow for mistakes that other languages do not allow for. Combine this with the fact that it doesn't take a fool to make mistakes and you have the perfect proof that C is inherently insecure. Refute either of those arguments and you might have a point.

The problem with C is that it takes the inhuman capability to not make mistakes to end up with secure software. That's why all of the long lived C software projects have to be constantly patched to correct mistakes. Buffer overflows are no accidents, they are the predictable result of using C. Use C -> expect to deal with buffer overflows, memory leaks, etc. Every good C programmer knows this.

The difference between good C software and bad C software is that in the latter case the programmers are surprised whereas in the first case the programmers actually do some testing and prevention (because they expect things to go wrong). Mozilla Firefox comes with a talkback component because the developers know that the software will crash sometimes and want to be able to do a post mortem. The software crashes because the implementation language of some components is C. IMHO mozilla firefox is good software because it crashes less than internet explorer and offers nice features.

Of course we have learned to work around C's limitations. Using custom memory allocation routines, code verifiers and checkers, extensive code reviews we can actually build pretty stable C software. The only problem is that C programmers are extremely reluctant to let go of their bad habits. Some actually think they are gods when they sit down behind their editors and do such stupid things as using string manipulation functions everyone recommends to avoid like the plague, trying to outsmart garbage collecting memory allocaters by not using them, etc. If you'd build in a switch in the compiler which enforces the use of the improvements listed above, most of the popular C software simply wouldn't compile. But then it wouldn't be C anymore because the whole point of C is to allow the programmer to do all the bad things listed above, even accidentally.

IMHO programmer reeducation is an inherently bad solution to inherent security problems of the C language. You can't teach people not to make mistakes. You need to actively prevent them from making mistakes. You can make mistakes in other languages but they are a subset of the mistakes you can make in C. Therefore you should use those languages rather than C unless you have a good reason not to. Any other reason than performance is not good enough.

Rule for selecting programming language:

[notany]

Good architect will know how to choose tools to match the problem. (If you can't, either you are not educated or you are code slave)

Rule:

If you don't need to spend 5-10% of your development time to speed/size optimizing your program to make it useable, you are not using language/abstractions that is high level enough to your task.

Explanation:

If I use high level languge (say Haskell/OCaml/Clean/Common Lisp) and use all it's abstarction powers, program code will usually be 10-50% of the size compared to

Re:Phew!

[ArbitraryConstant]

Fair enough, but how often does the kernel do things like parsing strings?

Re:Phew!

[Lord Kano]

Good thing Linux isn't written in...

What Visual Studio .NET? Yep. Good thing it isn't.

LK

Re:Phew!

[abigor]

You're entirely correct. But in the real world, systems programming accounts for only a small portion of written software. Most is firmly at the application level.

I feel confident in predicting that most of userland will eventually run in the context of some virtual machine or other. Of course, that doesn't exactly make me a prophet, since that's the plan for Longhorn, but I think it will become the norm on other platforms as well.

It would be nice if, in the long run, operating systems became irrelevant when it comes to choosing applications. You go with whatever has the best track record for speed, security, or whatever, and then just choose whatever applications you like. Since the virtual machine runs everywhere, so will your software.

Re:Phew!

[Taladar]

The problem with .NET as I see it is that VMs don't make much sense if they only run on one platform. They are just an additional layer of crap that slows down your program.

Advertisement?

[nuclear305]

I actually RTFA since it included a sensationalistic phrase like "biggest and most offensive mistakes that they could have made."

To me, it sounded like a big advertisement for Java.

It's the developers decision to use unsafe code in the .NET platform. I certainly wouldn't call this a huge mistake made by MS.

A hunting rifle can be used to kill people. Does that mean the trigger should only work after inserting a valid and current hunting license?

Re:Advertisement?

[haystor]

I'm just curious, but what language(s) of ultimate security is Java and Solaris written in?

Re:Advertisement?

[TWX]

As much as I think his presentation method is tacky, I can agree with some of what he says.

C and C++ allow for buffer overflows. They allow for improper or intentional coding to cause software to try to violate memory space of other functions or programs. They allow for memory allocation without necessarily providing any cleanup later. In the hands of bad, sloppy, lazy, or malicious programmers these traits have always proven to be a problem time and again on many different platforms. This doesn't mean that these languages are the wrong tool; I'd argue that part of Linux's success is because the kernel and most of the GNU-implemented services are written in these languages, which are flexible. Too much flexibility for the wrong purpose leads to problems though, just as too much rigidity leads to problems when things need to be flexible.

Re:Advertisement?

[n0-0p]

He's not wrong about the pitfalls of C/C++. It's just that his argument is downright silly when taken in the appropriate context. The .NET "unsafe" code segments are really no different than JNI, except that they integrate much more cleanly into the platform. As much as I dislike Microsoft in general, .NET is an extremely well designed and secure platform. I say this as someone who has spent almost a decade making a living performing software security assessments and developing secure architectures. If you take the time to research it you will find that .NET really feels like the next incremental step after Java, and it takes advantage of a decade's lessons learned in Java.

Re:Advertisement?

[owlstead]

I agree with almost everything of your post. However, I must say that not every features .NET has over Java is an improvement. And not everything has such a long track record either. It took MS almost no time at all to implement almost every single feature of Java 1.5 into C#. Then again, Java added auto-boxing, which seems to stem from C#. None of the features of both languages is really original of course.

Note that the Java VM of Microsoft was not that safe. I am very curious if .NET will have a better t

Re:Advertisement?

[devinoni]

Other than generics, and static imports, all the new language features of Java 1.5 aka 5.0 were available in C# 1.0. There was even a slashdot story about it. http://it.slashdot.org/article.pl?sid=04/10/11/145 4220&tid=108&tid=8/ [slashdot.org]

Re:Advertisement?

[Bodrius]

What are you talking about? Inner classes are fully supported in C#...

Unless you're talking about anonymous inner classes (a different animal, typically with a different purpose altogether when it comes to design motivation).

This seems to have been a matter of designer taste on the part of Hejlsberg. 2.0 should bring anonymous methods, which aims to solve the same type of problems anonymous classes did, in a neater way.

Re:Advertisement?

[Bodrius]

You are correct, I should say that C# fully support static inner classes.

"Nested type" and "inner class" are, as far as I know, equivalent terms and the latter has been a common term used in both languages. However, this is the first time I know of someone who differentiates the two terms in practical use.

What makes the implicit "this.Outer" the essential feature of an "inner class" in your terminology? I'm also curious as to why you consider it such an important feature.

Once more this seems to be a matt

Re:Advertisement?

[gburgyan]

I have to agree -- and I'll try to extend your arguments even further.

In my current job, which involves quite a bit of C#, I had the opportunity to port large chunks of our legacy application from C++ to Managed C++. We didn't gain security benefits, nor did we gain speed; we didn't loose any either. However we gained a lot of maintainability since we now have a single stack-trace to deal with that bridges all of the languages that we have (now reduced to C# and C++ -- down significantly from when we relied heavily on COM)

The fact that MS gave us that choice is wonderful. If we wanted to be using JNI (which I had the unlucky opportunity to use), we'd not have made much progress at all.

Re:Advertisement?

[DrXym]

The "integrating more cleanly" bit is worth more exploration. Java does allow native calls via JNI but it's always been bloody fiddly to get it to work. It does work, but it's fiddly requiring you define an interface, run a tool to generate stubs and implement those stubs handling exceptions & objects via a large set of JNI helper methods. Thus the average Java programmer doesn't even *think* about writing native code unless they absolutely, positively have to. So virtually every third party lib is pure

Re:Advertisement?

[Zeinfeld]

The problem here is that it will be very difficult to take Gosling seriously when he talks about anything in future. This does not make me think any better of Sun.

Nobody is going to use C or C++ to write a completely new program under .NET. There are occasions where I might use C for something I wanted to make cross platform but no way would I ever go near C++.

Most people who are going to use the new .NET support are people who have legacy C programs and want to gradually transition them to the .NET base in stages. The makes a good deal of sense.

The other constituency is folk who are writing stuff that is almost but not quite at driver level.

Re:Advertisement?

[malfunct]

Nope, at least not if it can't verify its safety and request permissions correctly. There is a chain of trust that needs to be developed before the .NET framework will allow the assembly to load. One thing that you should do if you don't want unsafe code to execute is remove that permission from your program (can be done with an attribute in your source code) and then these unsafe modules just won't load.

Not saying this can't be defeated but there are tools in the languages to protect yourself.

Re:Advertisement?

[malfunct]

What I am saying, if you read it, is that you can tell the .Net framework that your application does not accept unsafe modules. If that is the case the C/C++ module that does unsafe actions (which are obvious to the frameworks security checks which are extensive and expensive) it will not be loaded. There is no danger of accidentially running unsafe code in an application that doesn't accept unsafe code. If you are worried about security it would be in your interest to not give your application this permiss

Re:Advertisement?

[Jordy]

C++/C is not. Bugs can have disastrous effect.

Sigh. There are plenty of garbage collectors and boundscheckers for C/C++. Heck, there are several bounds checker extensions/patches for GCC that introduce bounds checking to both stack and heap. Boehm is a fine garbage collector if you like that sort of thing. They go back at least 10 years.

Combined with a non-executable stack and heap, randomized address space layout and signed return addresses (StackGuard XORs with a random value and verifies before return

Re:Advertisement?

[MerlinTheWizard]

C and C++ allow for buffer overflows.

It's irrelevant, actually. A bug is a bug. You can make them in any language. The consequences of the potential bugs are what matters. But only the implementation defines what a "buffer overflow" will actually do. Granted you can try and write past some allocated buffer in C (and C++). That doesn't mean the write should actually occur. That's the responsibility of the implementation, and mostly of the underlying operating system. I already said that earlier: the major

Re:Advertisement?

[andreyw]

C is a language. Its not an OS executive. It can't stop you from overwriting 0xdeadbeef with gobbledygook if your OS has no VMM.... which unless you're still running DOS, writing a kernel, or programming an embedded device... is not a problem as you might imagine.

Pascal isn't safe either

[Unordained]

Why do people think of Pascal as inherently safe? If you want to mess with pointers, it's really rather easy. Stick 'em in a variant (union) record, do your arithmetic against another named integer, and there you go. I mean really ...

"Object-oriented programming" is ill-defined. It encompasses a lot of languages that go about it in entirely different ways. To me, the most it can mean is "calling functions with an assumed this pointer." What does OO mean to you? Virtuals? What makes it "real"?

There are benefits to C beyond speed and direct access to memory, hardware, etc. People seem to forget that for us to make software "work together", calling conventions across libraries need to be compatible. Which is why we picked C calling conventions. It's not necessarily the most expressive if you're into fancy things, but it is flexible enough for most everything. My main problem with Java isn't the language -- it's the libraries. Lots of them, packaged in their own special way, not really designed for use by any language.

Languages, most of the time, aren't the issue. We haven't gained all that many 'new' features with new languages, at least not anything we can't easily live without. Access to symbols is an issue, however, and a really important one from the point of view of integration, code re-use, and even making sure you're using trusted/proven code.

Regardless of buffer overflows, you can still write infinite loops, incorrect logic, etc. in just about any language. These language wars are about markets -- they're about money.

Re:Advertisement?

[rackhamh]

A hunting rifle can be used to kill people. Does that mean the trigger should only work after inserting a valid and current hunting license?

DISCLAIMER: COMPLETELY OFF-TOPIC

I don't know what the law is, but if a hunting rifle can only be legally used for hunting, this actually a pretty good idea. The card mechanism could also be used to enforce hunting seasons.

I realize this offends some people's sense of rights, but I'm not particularly inclined to defend somebody's "right" to use a firearm outside its

Re:Advertisement?

[damiangerous]

I don't know what the law is

Obviously.

but if a hunting rifle can only be legally used for hunting

A hunting license licenses the owner to take a certain type of game (deer season, etc) on certain land (assigned state land, private land, etc) during certain times (hunting seasons, obviously) with certain tools (shotgun only, bow, etc). It only grants this, in the case of firearms, to people who already legally own them. A "hunting rifle" is simply a subset of rifle suitable for a certain task (which var

Re:Advertisement?

[miu]

I think he is talking about the fact that the type system of managed code itself could potentially be subverted by unmanaged code added by other developers.

The article is heavy on sensationalism and short on content so it is difficult to tell what is actually being debated here, but I think that Gosling is claiming that support of C type handling in itself creates a chink in the armor of the CLR, regardless of any particular project's use of that feature.

Re:Advertisement?

[ndykman]

Not so. Well, unless you hacked the .Net type verification and loading code, managed to install it over the .Net Framework (not easy, really).

All use of unsafe features in .Net are marked as such and can't be hidden. So, pointers, unsafe casts, etc. all stick out to the type loader. In fact, if an .Net assembly tries to mark itself as safe and it has unsafe features, the loader won't load it.

As far as I know, there is no example of unmanaged code that can violate the managed code type system, and .Net was explicitly built to keep this from happening.

Also, this ignores that C/C++ support is much more complicated in .Net. Yes, there is the IJW (It Just Works) stuff that allows unmodified code to compile to unsafe .Net assemblies, but there is also the C++/CLI stuff, which creates a CLS version of C++.

Frankly, this seems like a bit of sour grapes to me. .Net does really improve on Java in lots of ways. Yes, James, Java isn't the last word on programming languages. .Net isn't either.

Re:Advertisement?

[clem.dickey]

A few years ago a non-techie friend mentioned that he had read an interviewer with the creator of Java.

Me: "Oh, that would be, umm, James Gosling."

He: "No, that's not the name. It was a lady. Let me check ... Gina Centoni."

Me "Who?"

A web search revealed that Ms. Centoni's position was "Director of Java Marketing." Out of the mouths of babes come all wise sayings.

Re:Advertisement?

[iabervon]

His point is essentially that .NET does not protect the user against untrusted code, while Java does. If you run .NET code, you have to trust the developer, because the system won't protect you against a malicious or careless developer. If you run Java code in a sandbox, you're safe, because the system will watch what's going on and can be sure of the safety of its information.

A hunting rifle is fine for some purposes, but decorating your house with them is unwise. Java, effectively, has support for making

Re:Advertisement?

[cookd]

His point is essentially that .NET does not protect the user against untrusted code, while Java does. If you run .NET code, you have to trust the developer, because the system won't protect you against a malicious or careless developer. If you run Java code in a sandbox, you're safe, because the system will watch what's going on and can be sure of the safety of its information.

If that is the point, he's dead wrong.

Just like you can run Java code in or out of the sandbox, you can run .NET code in or out o

Re:Advertisement?

[cookd]

Ummm ... are you saying if a developer chooses to write unsafe code on .NET it is the fault of the developer that he can do so? By it's very name it implies that remote computers are going to connect to it, so one would hope it's not built to be too riddled with security holes or potential to be 'dangerous'.

The developer can choose to do whatever he/she wants. The nice thing about .NET is that the end user can then choose whether or not to allow that developer's code to run on his/her machine, and can ob

Woah

[pHatidic]

CowboyNeal is defending Microsoft. Someone take a screengrab, Slashdot's been hacked!

So you mean to tell me

[Anonymous Coward]

So you mean to tell me that the father of Java won't be slightly bias?

C'mon now. There is no vulnerability. Don't post this sort of crap. Its strictly knee-jerk material meant to bend a few people out of shape and start flames. .NET is great (for its target area)
J2EE is great (for its target area)

Both are secure, stable and reasonably fast if you are a GOOD programmer. ANYONE who does ANY C or C++ code that will be used in industry needs to ENSURE that they just take a few extra precautions and are aware of secure coding techniques in both languages. Its rather quite simple.

To sum it up: nothing to see here folks.

Re:So you mean to tell me

[bitflip]

Actually, this is the kind of thing I like to see. It is definitely technology related; it's omission would be an error, IMO. If I'd seen this someplace else, and didn't see a discussion of it on /., I'd be concerned.

The fact that the editors actually chose to point out the flaw in the argument (in MS' favor!!!), rather than adding to the sensationalism is a welcome and refreshing change.

Don't disagree with Microsoft...

[BlueCup]

I don't disagree with Microsofts position. Yes errors are possible, but it's a programming language, and not Microsofts responsibility. With a case like programming it is the programmers responsibility to release code without exploits... c and c++ are fast, they have many advantages other languages don't have (such as Java) if a programmer decides to take advantage of that, with a slight bump in risk, then I say more power to them.

What a surprise!

[Anonymous Coward]

This could have just as easily read "Java Creator Disses Rival Product, Ignores Flaws in His Own."

In Java, everything is an object! Oh...except for the basic types, you need to use object wrappers for those.

Re:What's the flaw again?

[borgheron]

Just curious... What's wrong with that?

It speaks to the purity of the language. Being able to deal with *everything* as an object is a distinct advantage since it allows you to, potentially, extend basic types into more complex ones and it also prevents you from having to "box" primitives in objects and "unbox" them on the way out.

BTW, JDK1.5 (aka Java 5) has a new feature called "autoboxing" which does the above boxing for you. This doesn't really count as those types being objects, it's more of a kl

Re:What's the flaw again?

[skraps]

That is just because of the auto-boxing. The CLI specifies primitive types like

bool, int, uint, int16, uint16, int32, uint32, int64, uint64, char, and byte.

These are quite distinct from their corresponding boxed types in the System namespace,

Boolean, IntPtr, UIntPtr, Int16, Uint16, Int32, Uint32, Int64, Uint64, Char, and Byte.

The "box" and "unbox" CLI instructions allow for the translation between the two sets above. There is nothing automatic about this at the CLI level.

The reason you've probabl

Re:What's the flaw again?

[bnenning]

Just curious... What's wrong with that?

It's ugly and non-orthoganal. Look at the Arrays [sun.com] class for example; there are dozens of duplicated methods that are identical except that they take bytes, chars, shorts, ints, etc. as arguments. I'd much rather have everything be a true object; any performance issues can be handled by the compiler, runtime, or Moore's law. Autoboxing helps, but better to fix it for real than with syntactic sugar.

JNI

[codepunk]

I guess he forgot all about JNI. Now don't get me wrong I like java and would not even think about messing with .NOT but quit telling lies, java has the same exact hole.

Re:JNI

[patniemeyer]

But JNI is not Java... It's an API. For that matter you might consider sockets and network connections to make Java unsafe because they could invoke unsafe applications.

It is completely fair to point out that .NET allows you to choose safe vs. unsafe code... but it is a little different from the Java scenario in that this is unsafe code that is run through the VM. It's just an odd choice to make.

Pat Niemeyer
Author of Learning Java, O'Reilly & Associates

Re:JNI

[spideyct]

It may be fair to point out, but it is kinda silly without any context.

Java lets you write to the user's filesystem. Does that make it insecure? You could run a program to wipe out your hard drive!

But Java allows for a "sandbox". So does .NET. And if your code runs in that .NET "sandbox" (for example, if it is running from a network resource), it won't let you run unsafe code.

A truck, eh?

[Faust7]

the company 'has left open a security hole large enough to drive many, many large trucks through.'"

Like, say, a truck about the size of Sun's Java runtime environment.

Java is a type-safe language at the VM level...

[patniemeyer]

This is what really distinguishes Java from other languages. The Java verifier is a sort of theorum prover that examines the byte-code and can guarantee that it does not violate certain rules such as forging the type of a reference or under/over-flowing the stack. Because this is done at the verify stage it is still possible to compile the bytecode down to machine level instructions after that and run at full speed. This is why Java is both safe and fast.

To support C/C++ semantics (ad-hoc pointers) you'd have to throw all that out the window and I assume that's what he's talking about.

Pat Niemeyer,
Author of Learning Java, O'Reilly & Associates and the BeanShell Java Scripting language.

Re:Java is a type-safe language at the VM level...

[YU Nicks NE Way]

You're wrong.

The Microsoft CLR is also type-safe at the VM level. If you choose to use pointers in Managed C++, though, you lose any ability to assert heap access safety, and therefore must mark your code as unsafe, because you can perform pointer arithmetic.

you got it backwards

[jeif1k]

This is what really distinguishes Java from other languages. The Java verifier is a sort of theorum prover that examines the byte-code and can guarantee that it does not violate certain rules such as forging the type of a reference or under/over-flowing the stack

You arae kidding, right? Do you seriously believe Java is the first or only language to guarantee runtime safety? Safe languages are the rule, not the exception.

To support C/C++ semantics (ad-hoc pointers) you'd have to throw all that out the window and I assume that's what he's talking about.

C# distinguishes safe and unsafe code. C#'s safe code is as safe as "pure" Java code. You can think of C#'s unsafe code (or its equivalent in C/C++) as code linked in through the JNI interface, except that C#'s unsafe code has far better error checking and integration with the C# language than anything invoked through JNI.

Altogether, C#'s "unsafe" construct results in safer and more portable code than the Java equivalent, native code linked in through JNI.

Pat Niemeyer, Author of Learning Java, O'Reilly & Associates and the BeanShell Java Scripting language.

Well, then I suggest you learn some languages other than Java before making such ridiculous statements.

Re:Java is a type-safe language at the VM level...

[afidel]

Sure it does, comiled Java code can be just as fast as C++ code and nearly as fast as C code. It all depends on how good the libraries are and how smart the compilers are. There is numeric code available for Java today that is just as fast as equivilant libraries for C++. Hell real numeric code is STILL written against FORTRAN libraries because the code is that good, that well optimized, and that well tested. Java GUI's suck, but numeric code and server code has long since been more than fast enough.

Re:Java is a type-safe language at the VM level...

[Anonymous Brave Guy]

Sure it does, comiled Java code can be just as fast as C++ code and nearly as fast as C code.

You imply that compiled C code is faster than compiled C++ code, which IME is rarely the case these days. In particular, optimisations performed by C++ compilers have almost caught up with their C brethren. With almost perfect zero-overhead implementations of all the major C++-only language features now in common use and the added performance boost from things like inlined code in templates, the balance often tips significantly in C++'s favour now.

There is numeric code available for Java today that is just as fast as equivilant libraries for C++.

Can you give some examples of high quality numerical libraries written in pure Java (i.e., without JNI)?

Disclaimer: I'm a professional C++ developer, and I write high performance maths libraries for a living.

Re:Java is a type-safe language at the VM level...

[afidel]

You should be able to find plenty of starting points here [nist.gov].

Re:Java numeric libraries

[Anonymous Coward]

Sorry. This doesn't really cut it. Note the dates on the website. Its been moribund for about 2-3 years (the unfortunate side effects of downsizing useful government initiatives to fund the military/security complex and tax cuts, but that is another sad story).

Of the two "numeric" libraries mentioned on the website only one handles complex numbers and the implementation in java leaves much to be desired (relative to assembly or C). To my knowledge, the Lau Numerical libraries based on algol routines ar

Java has many potential drawbacks for numerics

[Anonymous Brave Guy]

Java has several pretty fundamental disadvantages when it comes to serious numerical work, compared to a language like C or C++.

The most obvious is the "everything is an object" principle. If you can't create value types for things like vectors or complex numbers, you're imposing performance overheads for dereferencing before you even start doing any maths.

Moreover, serious maths work often involves large data sets. We work with graphs with many thousands of nodes pretty routinely, which can make fine c

Re:Java is a type-safe language at the VM level...

[patniemeyer]

Yes, actually, it does. Have you checked it recently? The only overhead that natively compiled Java code would have over comparable C++ is that it always does array bounds checking. Other than that you just have to ask yourself, what kind of optimization can a static compiler (C/C++) do that a dynamic, profiling runtime compiler (Java) can't do?

Garbage collection in Java has been faster than free/malloc in C for years. This is in large part due to the fact that the runtime can recognize very short lived objects and put them on a special part of the heap.

It's not necessary to use unsafe languages to get performance any more.

Pat Niemeyer

Re:Java is a type-safe language at the VM level...

[hobuddy]

You're quite right that Java's speed is excellent these days (for non-GUI code, at least). I've spent a lot of time recently working with a large system that was first implemented in Java (by highly skilled developers) and then ported to C++ (by greenhorns). The C++ port is only 50-100% faster, which isn't worth the price in developer time that's been wasted on memory leaks and other forms of memory corruption that were never a factor in Java. Besides that, supporting multiple platforms with the C++ version is the #definition of pain.

However, the C++ version uses only about 1/4 or 1/5 as much memory as the Java version, and starts up far more quickly. If a *desktop* application needs to be deployed on older machines, or if the application is so memory-intensive it taxes the limits of today's server hardware, Java still falls flat.

Re:Java is a type-safe language at the VM level...

[StarsAreAlsoFire]

I call bullshit.

If 'greenhorn' C++ developers can make an app that is even ONE PERCENT faster, then the Java Developers WERE NOT 'highly skilled'. Period. But TWICE as fast? As in, C++ takes 1/2 the time to execute 'x' as the Java version? No way. Not even if we are talking linear algebra code* [home.cern.ch].

An experienced Java programmer knows you have to memory manage large apps. Yes, Java will *always* use more memory than an equally well written C++ app; however, unless you are working *exclusively* with *huge* arr

Re:Java is a type-safe language at the VM level...

[YetAnotherAnonymousC]

That's not all. Even natively compiled Java code has additional overhead in casting operations and in object instantiation.

Re:Java is a type-safe language at the VM level...

[clem.dickey]

It's been about eight years now that Java has been touted (not necessarily by present company) as faster than C. Do I really need to check again? I did check yesterday, and Java took about one minute to bring up an application login menu. That is slower than any C program, with the possible exception of Lotus Notes. So there's speed and then there's speed. Initialization is time is still not too good in Java. Maybe Sun (and IBM, from whence my Java comes) could take a few pointers from Microsoft (Word) and

Re:Java is a type-safe language at the VM level...

[cookd]

Free and malloc are NOT very simple algorithms. They have arbitrary complexity. malloc ranges from the normal case of about 100 instructions (when a block of memory of the correct size is available) to unbounded (when data must be paged out to make enough room for the new allocation and the data for tracking it). Free can also be arbitrarily slow, as releasing one block may trigger a coalesce operation.

So you have to measure time per malloc and time per free, then total them up and compare it to GC's time per allocation and time spent in GC. In some cases, one will be significantly larger than the other, but in most nontrivial programs, using modern malloc/free and modern GC, it comes out pretty close to even.

Some argue that the "pause" from GC is a problem. Maybe. Except that as mentioned before, malloc can also "pause" for arbitrarily long times. And a lot of work has been done on "concurrent" GC that doesn't pause. If you can afford paging in from disk (swap file), you can also afford GC's "pause".

Finally, when you write a big program, you spend incredible effort in your program tracking memory. That takes cycles. "If x then save a copy cause we'll have to free it later, etc."

The bottom line is that there are some cases where GC still won't work, but those cases are getting smaller and smaller. For most cases, the argument that GC is slow or inefficient just isn't true. Go do some real benchmarks, or go study up on the already published benchmarks. GC is pretty efficient, and malloc/free has no significant speed advantage anymore.

malloc+free: fast, simple, and can be even faster

[nothings]

Malloc and free are simple algorithms, and whoever told you otherwise was wrong.

I don't know where you got your understanding of malloc, and especially free, but it's severely out of date. Knuth published about "Boundary Tags" no later than 1973 (citeseer is down, so no link). Saying that a coalesce operation "can be arbirarily slow" is just FUD. A boundary tag makes free() a fast O(1) operation: check the previous block in memory to see if it's free and if so join, a fast O(1) operation; check the next block in memory to see if it's free and if so coalesce; add free block to free-list, done. Yes, it's not zero work like a GC implementation sort-of is, but "arbitrarily slow"? It's basically at least as fast as malloc().

Allocation requests can hit disk, sure, but so can GC allocations even if they're just bumping a pointer: it all depends on the working set size. GC compaction can reduce fragmentation to reduce working set size, but that is only a big win if there's a lot of fragmentation, and most apps using a good malloc() don't exhibit that much. (It is also possible for a GC to rearrange memory so more in-working-set data is on pages together, reducing the working set page count without changing the total memory used. I don't know of any in-use implementations of this, since you need hardware support to know what objects are more-in-use; generally this is only available at the page level, where it's no help. I think maybe an early microde-based Smalltalk implementation might have done this.)

If your malloc has to walk giant free lists to find an open block, then sure, that can be slow. That's why people use trees of free lists based on size and such to make it more O(log N), and O(1) for small allocations. (On large allocations, actually using the memory amortizes the cost.) Read about dlmalloc [oswego.edu], for example.

Furthermore, let's not misrepresent GC. Stop-and-collect GCs have obvious extra costs beyond the free-of-charge free (or lack of need for one). Incremental GCs that don't pause are usually slower overall and only preferred for interactive programs. For example, incremental GCs usually require "write barriers" or "read barriers" which require several extra instruction on every fetch from memory or every write of a pointer variable in memory. This can add up across the entire program. Incremental GCs also tend to be conservative, and only end up collecting things that, say, were garbage at the start of the most recent collection round, and generational collectors allow garbage to collect in later generations for some time, so they don't actually necessarily have a smaller working set than a non-leaky malloc()/free() program.

Another big win in non-GC systems is that you can use pointers that don't come off the heap. That way you can avoid allocation and deallocation and GC entirely. (You can actually do some of this in a GC system too if it's a 'conservative' GC that copes with pointers into the middle of blocks. Those pretty much only get used for adding GC to C and C++, though.) Here are some common ways this happens:

• statically allocated arrays
• small arrays and strcts on the stack
• structs that are components of other structs, or arrays at the end of structs
• use of special allocators:
  • slab allocators (it's even possible to embed this entirely inside the default allocator for all small allocations)
  • pool allocators (allocate a large block of memory, suballocate from it, deallocate all at once)
  • "stack" allocators (allocate a large block of memory, suballocate from one end, only allow freeing from the same end, so allocation is a adding to a pointer and deallocation is reseting that pointer)

Of course, doing all these things requires that you balance your different types of malloc()s with the correct, matching type of free(). In practice, GC proponents overestimate the diffi

Unsafe code is called -- duh, Unsafe

[Saint Stephen]

I hate to defend MS on this, but you have to have a certain type of permission to call unsafe code. As soon as you call anything such as that, the whole program becomes immediately unverifiable.

Why is this here?

[zoloto]

I did Read the Fine Article and didn't find anything in it worth mentioning. Nothing specific, or even elluded to. What a waste.

What a well researched article!

[apoplectic]

New languages such as C# and Visual Basic.NET only produce managed code.

Hey, what about the keyword unsafe in C#? Sheesh.

It's called unsafe code for a reason

[jerometremblay]

Unsafe code is not subject to security checks of the .NET virtual machine. To execute unsafe code, you have to specifically grant those rights to the executing program. It is not something automatic.

Applications that require safety (for example running plugins downloaded from the net) simply don't allow those assemblies to be loaded.

Where is the problem again?

Someone should tell

[ahdeoz]

Gosling that Java is inherently insecure, as it is written in C.

Re:Someone should tell

[BlueCup]

Here Here! But, wait... if someone did that, wouldn't that make the Microsoft bashers feel like morons?

Too funny.

[augustz]

A:
In .NET you can write code that harms a computer and deletes files.
B:
In Java you can write code that harms a computer and deletes files.

A:
You can write code in C#, in which case it is managed and helps prevent you from making stupid mistakes.
B:
You can write code in Java in which case it is somewhat managed and helps prevent you from stupid mistakes.

A:
Under .NET you can write code in C++ (which very few folks developing for .net do) and you take the risk of stupid mistakes.
B:
Under Java you read Sun's doc

Rediculous

[SnprBoB86]

Assemblies (.NET DLLs and EXEs) require special permission to run unsafe code. In the eyes of .NET, all unmanaged code or any use of pointers is considered unsafe. This includes every C/C++ application ever. .NET's philosophy on security is clear:
A .NET assembly is secure except by special request to use unsafe code. Over time, all assemblies should be completely void of unsafe code except for assemblies from trusted sources.

For example: The end user can grant unsafe permissions to the Microsoft Managed Di

Re:Rediculous

[janoc]

Yeah, right - the same problem as with signed ActiveX - once a buffer overflow in the trusted code is found, your security is a fair game - the attacker has to only persuade e.g. your browser to load the buggy but trusted code. The managed languages like C# and Java were invented exactly with the purpose to prevent this kind of holes.

To me this looks like a similar problem as allowing running native code via ActiveX. Yeah, we have permissions, signing and what ever - how much does it take for a trusted but buggy ActiveX applet to be exploited?

Huge mistake, IMHO. And do not compare this to JNI - I am no Java expert, but AFAIK you simply cannot call JNI functions from something like web applet by design, whereas here it is on the discretion of the app developer.

Why oh why

[Anonymous Coward]

When elevators were first invented, people didn't want to use them because people thought they were not safe. They were right. Elevators were not safe. When Mr. Otis invented the safety elevator, which had a catch so that it would not fall even if the cable were cut, people started using elevators. It would be foolish to trust your life to an elevator without such a safety system. You could use it to lift bales of hay or cement powder or something but you wouldn't put a human being in it.

It's the same with C. We should know by now "you cannot use C to handle untrusted data (ie, data from untrusted machines on the net)". All such data need to be handled in a sandboxed system, a system with safe memory access. This means something like Java or similar things.

A lot of people will make posts that say things like "C doesn't cause the problems, it's incompetent or lazy programmers who cause the problems." Whatever. No excuse. That's like saying "we shouldn't need seat belts or airbags; all we need is to make sure that drivers don't make mistakes." Drivers and programmers do make mistakes and that's why we need safety mechanisms in both cases. C provides none. Programming in C is like driving around in a car from the fifties, with no seat belts, no airbags, no head rests, no ABS.

So any decision to extend the use of C is just foolish. What is the purpose of doing this? If people must use horrible legacy code then just use it, but why drag that into new frameworks like .NET?

It does not compute, for me at least.

Re:Why oh why

[omicronish]

So any decision to extend the use of C is just foolish. What is the purpose of doing this? If people must use horrible legacy code then just use it, but why drag that into new frameworks like .NET?

Managed C++ is basically a compatibility language. It exists to provide developers an easy way to interface legacy C/C++ code with .NET code. By providing MC++ Microsoft is actually providing a way for developers to slowly migrate to more modern languages (sorta like JNI with Java; imagine if you couldn't make

Homeowners!! Beware!

[Stevyn]

No longer should homes be built using nails. All new homes should be built with really strong glue. Even though nails are faster and easier to work with, a carpenter might accidentally smash his thumb with a hammer. Plus, nails contain metal which may warp your home in the event a huge magnet is placed near the house.

--The Elmer's Glue Foundation for Strength and Security

Beware the agenda

[BillsPetMonkey]

C++ allowed you to do arbitrary casting, arbitrary adding of images and pointers, and converting them back and forth between pointers in a very, very unstructured way.

Unstructured? Yes. A huge security hole? No more than any other language using COM objects. You can write crappy spaghetti code in any language. The type interface for .NET and the unsafe keyword for managed code are there to restrict how you use native objects.

What Gosling is really criticising is the way .NET handles managed code, which java can't do so easily (remember jini? Me neither) - so what .NET should really do according to Gosling is have a sandbox runtime with no severely restricted access to the native interfaces - to hell with performance compared no native methods? Oh, that'll be just like ummm .. java then.

I believe Gosling is wrong

[frovingslosh]

James Gosling this week called Microsoft's decision to support C and C++ in the common language runtime in .NET one of the 'biggest and most offensive mistakes that they could have made.'

Gosling is dead wrong. I believe that Microsoft will soon prove they are capable of even bigger and more offensive security mistakes.

Also, the choice to actually use .NET is at least as big of a security error.

pots and kettles, you know...

[1nv4d3r]

I guess that's why there's no java native interf...

oh. nevermind.

Yay, more rhetoric from Sun

[rabtech]

Like we really need more Rhetoric from Sun... but I'll deal with his concerns anyway.

In order to use "unsafe" code from managed C++ (or unsafe blocks in C#) you must have "FullTrust" security rights, otherwise the code fails to run.

You could shoot yourself in the foot but the runtime is perfectly capable of detecting and coping with corruption of the managed heap (generally by closing down the offending AppDomain.) Of course you can write a COM component in C++ and call it from dotnet, which is (in effect) the same exact thing! (I dare you to try and stop me from trashing Java or dotnet once I'm loaded in process via JNI or COM...)

CAS (Code Access Security) means that no other code can call your "unsafe" methods without FullTrust either, so there is no danger from code running off the web of doing this.

JNI is the same thing, Sun just gets to hide behind the lie since the risks aren't known by or integrated with the platform. At least with unsafe code the runtime is fully aware of that pointer voodoo magic you are trying to pull and can deal with it appropriately.

In other words Game Developer X can hand-tune the rendering algorithm inside the "unsafe" code areas, but develop the rest of the platform in fully managed code, making the development process much easier to write, test, and debug.

(As an aside, thanks to the antitrust ruling Microsoft is not allowed to comment on a great many things, including competitors. I don't know if this falls under that heading, but in many cases Microsoft's employees can't just come out and call bullshit when they see it for legal reasons.)

In conclusion: Sun should shut the hell up.

C programmer deals with it

[Earlybird]

• Note that this isn't a particular vulnerability, just a system of typing that makes it easy to introduce vulnerabilities, which last time I checked, all C programmers deal with.

Yes, CowboyNeal, but do they want to deal with it, and should they deal with it?

For every programmer who reads security bulletins and keeps tabs on the latest string-copying buffer overflow issues and fundamental security principles, there are a hundred who don't know or care.

C is a high-level language that:

• Has direct access to every part of the operating system and executes instructions directly from memory. This means that malicious code can slip into its memory space through buffer overflow exploitations and the like.
• Is, in almost all cases/operating systems, running with the same capabilities as the logged-in user, which means it has virtually endless power that ranges from formatting your hard drive to infecting other nodes with worms or looking through your email app's address book. It's not limited to the desktop computer of the hapless Windows user, either: Unix daemons running on servers as non-root users can cause serious havoc.

Programmers want to be productive -- most want to make things make colourful stuff happen on the screen, not fiddle around with buffer guard code. So the more security can be built into the language and its running environment, the better.

Many languages, such as Python or Ruby, provide security against what I mention in my first bullet, through a virtual machine. They're not impenetrable, and are of course, as dynamic languages, subject to a different class of security holes (eg., string evaluation of code), but they're a step up from the C level.

Other languages, like Java, provide capability-based security models, allowing for sandbox environments with fine-grained control over what a program may or may not do. Java's security system is ambitious, but since most Java apps run on the server these days, it's not frequently used, and except for browser applets, Java code tend to run unchecked.

In a way, Java tries to do what the OS should be doing. Programs run on behalf of its human user, and their destructive power is scary. Why should any given program running on my PC have full access to my documents or personal data? As we're entering an age where we have more and smaller programs, and the difference between "my PC" and "the net" is increasingly blurred. Operating systems need to evolve into being able to distinguish between different capabilities it can grant to programs, or processes -- we need to think about our programs as servants that are doing work for us by proxy.

The same way you wouldn't let a personal servant manage your credit cards, you don't want to let your program do it -- unless, of course, it was a servant (or, following this metaphor, program) hired to deal with credit cards, which introduces the idea of trust. The personal accountant trusts the bank clerk, who trusts the people handling the vault, who trust the people who built the vault, and so on.

In short, any modern computer system needs to support the notions of delegated powers, and trust.

Programmers will certainly never stop having to consider vulnerabilities in code. But painstakingly working around pitfalls inherent in one's language, be it C or indeed .NET -- we need to evolve past that. The users, upon whom we exert so much power, certainly deserve it.

Gosling Emacs security holes + spyware + malware!

[SimHacker]

Gosling Emacs (written by none other than James Gosling) has many HUGE security holes that you can pilot an aircraft carrier through.

Emacs has a notorious "shell" facility that can actually run a shell and send it arbitrary commands!!!

In fact, there's even a built-in scripting langauge called "Mocklisp" that enables hackers and viruses to totally reprogram the behavior of the editor (and it looks like Lisp, but without any of those confusing lexical closures and list processing functions).

Gosling Emacs is actually spyware, because it has a hidden "keyboard macro" facility that can spy on every character you type! Emacs is also malware, because at any point it can instantly undo any editing changes you've made!

One of the biggest most offensive mistakes is that James Gosling has not fixed these huge security holes in Emacs, after all these years. In fact, many of the security holes have been reimplemented in another notorious piece of communist spyware called Gnu Emacs!

All Emacs should be banned!!!

-Don

Gosling is right, but Java has the same problem

[DavidHopwood]

.NET and Java are both insecure, because they both rely on too much code written in unsafe languages.

If you want to implement a system based on language-level security using a mixture of code in safe and unsafe languages, as little as possible of the system must be written in the unsafe language(s), and that part must be treated as being in the system TCB.

Some unsafe code is unavoidable if you want the system to be able to use OS facilities on Windows and Unix. However, it must be written by people who know how to write secure code, and gone over with a fine-tooth comb for possible weaknesses.

It is completely disingenuous for either Microsoft or Sun to claim that these platforms are secure, given that their implementations depend on millions of lines of unsafe-language code that no-one is ever going to review properly. Even more so since both .NET and Java allow any arbitrary application to load unsafe code.

So basically, Gosling's argument is correct: .NET will never be secure with its current architecture. Neither will Java. I am personally convinced that language-based security can be made to work (using a capability security model), but not the way Microsoft or Sun are doing it.

Re:James Gosling is an expert in this area

[sapgau]

Man, why don't you tell us why you really hate Java.

No, Java is not suitable (or useful) for what an engineer would call a "critical" application. Those applications are coded in C or C++ (or Assembler).

I'm using java because that was the business decision made by my boss (or my boss' boss). So I'm just told what I have to do (what interface the user expects, what system I have to connect to, etc.) But for the company I work for, Java might be a critical part of their business plan.

For example, you won't find java in a heart monitor in the hospital but probably find the server that keeps your health records is done in Java. Whoever is developing the Health record system can (more or less) pass the code to a new developer to continue working on it without expecting the new guy to be an expert on that particular system.

Anyway, this could all be bullshit if sound coding practices are not follow on ANY language.

Re:James Gosling is an expert in this area

[reflective recursion]

i was thinking more along the lines of Lisp or Scheme. please do your own research, I really don't have time to school a newbie. Java is nothing new. Hell, even pascal had P-code. Welcome to the 1980s and prior. GC is some new technology according to Java people.. what a fucking joke.