Insecure Java Code Snippets

[coley at linus.mitre.org (Steven M. Christey)]

On Thu, 7 May 2009, ljknews wrote:

> At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
>
> > Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
> > They can be really hard to figure out,
>
> And yet people keep choosing those programming languages.

Yeah.  Like the developers of the compilers/interpreters for Java, Perl,
PHP, Ruby, Python, and probably whatever else the kids are raving about
these days.  ;-)  And of course these languages never use C/C++ libraries.
I imagine that at some point, even things like Ada boil down to some
assembly code somewhere.

More seriously, at one point or another you're building on top of
something else that's insecure, and while that might mostly remove you
from the bugs that occur at the lower level, all it really means is the
vulnerabilities shift to a higher level and are much more powerful.  C
programmers would rarely bother to take untrusted input, insert it into a
program, compile the program, and execute that program.  But PHP
programmers like to do that all the time by implementing config files as
PHP programs and inserting untrusted data into them.  Or how about all
those web worms compromising gazillions of LAMP installations because of
PHP's little remote file inclusion feature?

I'm not saying that later-generation languages don't have important
features that are useful for security, but I personally wouldn't want to
implement some real-time high-throughput packet analyzer in Java, nor
would I want to implement a blogging system in C.  Compiler features like
canary-based protection are making significant improvements for C-based
security, just like Java performance is improving.

Can't wait for the flames.

- Steve