Secure Coding mailing list archives
Could I use Java or c#? [was: Re: re-writingcollege books]
From: ljknews at mac.com (ljknews)
Date: Wed, 15 Nov 2006 12:23:47 -0500
At 3:44 PM +0000 11/15/06, Pete Shanahan wrote:
ljknews wrote:At 8:18 PM -0600 11/14/06, Wall, Kevin wrote:That makes a Java inappropriate for a lot of system-level programming tasks. Simple example: There's no way in pure Java that I can lock a process in memory. Wrt this list, that has a lot of security ramifications especially on shared processors. Sure makes hiding secrets a lot harder.
I did not write any of that.
It's an operating system feature where you can lock a chunk of the memory of a process such that it is not swapped out at any time. see the specs for mlock, madvise.
Those words mean nothing to me, but I presume you are talking about either locking a page into memory: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_081.html#jun_369 or locking a page into the working set: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_082.html#jun_373 or preventing an entire process from being swapped out: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_105.html#jun_526 None of those resolve the responsibility of the operating system to remove residue from memory before transferring it to another user. That is true regardless of whether the process is running compiled code or a bytecode engine (which is the real issue, not the implementation language).
win32, I believe has an even more feature ridden facility for secure memory. on the receipt of abnormal termination signals this memory can be cleared, thus keeping the secret safe, so you could produce a process crash dump that is sanitized for sending to a support group.
Yes, that is present in my environment as well. Is the problem that the bytecode engine used with languages like Java do not have a function to exclude certain parts of memory from process crash dumps ? That was not clear from the prior statement. -- Larry Kilgallen
Current thread:
- Could I use Java or c#? [was: Re: re-writing college books], (continued)
- Message not available
- Could I use Java or c#? [was: Re: re-writing college books] mikeiscool (Nov 13)
- Could I use Java or c#? [was: Re: re-writing college books] Leichter, Jerry (Nov 13)
- Could I use Java or c#? [was: Re: re-writing college books] mikeiscool (Nov 13)
- Could I use Java or c#? [was: Re: re-writing college books] Crispin Cowan (Nov 13)
- Could I use Java or c#? [was: Re: re-writing college books] mikeiscool (Nov 13)
- [SC-L] Could I use Java or c#? [was: Re: re-writing college books] Robin Sheat (Nov 13)
- Could I use Java or c#? [was: Re: re-writing college books] Crispin Cowan (Nov 14)
- Could I use Java or c#? [was: Re: re-writingcollege books] Wall, Kevin (Nov 14)
- Could I use Java or c#? [was: Re: re-writingcollege books] ljknews (Nov 15)
- Could I use Java or c#? [was: Re: re-writingcollege books] Pete Shanahan (Nov 15)
- Could I use Java or c#? [was: Re: re-writingcollege books] ljknews (Nov 15)
- Could I use Java or c#? [was: Re: re-writingcollege books] der Mouse (Nov 15)
- Could I use Java or c#? [was: Re: re-writingcollegebooks] Wall, Kevin (Nov 15)
- Could I use Java or c#? [was: Re: re-writingcollegebooks] ljknews (Nov 15)
- Could I use Java or c#? [was: Re: re-writing college books] mikeiscool (Nov 09)
- Could I use Java or c#? [was: Re: re-writingcollege books] David Crocker (Nov 11)
- Could I use Java or c#? [was: Re: re-writing college books] psteichen (Nov 06)
- Could I use Java or c#? [was: Re: re-writing college books] der Mouse (Nov 06)
- Could I use Java or c#? [was: Re: re-writing college books] ljknews (Nov 06)
- Could I use Java or c#? [was: Re: re-writing college books] SZALAY Attila (Nov 08)