3

After reading this article ("Everything is broken" by Quinn Norton) I was about to ask a question similar to this one (Why are security-crucial software written in unsafe languages?)... but actually I am more interested in counter-examples — where the security-crucial software is written in safe languages and does not use any "unsafe" libraries (except, maybe, some OS libraries — it's very hard to do without them...). By safe I mean, at least, not prone to buffer overflow attacks and other "nice" gifts from C/C++.

I have found so far only one example — tkabber, which is written in Tcl, but it does use OpenSSL, which is written in C, which makes it inherently unsafe. And every web browser that I can think of is written in C or C++, too...

Display Name
  • 218
  • 2
  • 10

1 Answers1

-1

The short answer is

  1. All software is built on top of lower level software. Java is built on top of a Java Virtual Machine which is built on top of an operation system which is built on top of device firmware and your motherboard BIOS.

  2. All software has bugs.

You can't say, I use Java so I am immune to buffer overflow attacks. Computers don't work like that because not matter what programming language you use, everything eventually ends up as instructions that execute on your CPU. There will always be an interface between your "safe" language and your "unsafe" CPU instructions.

user2675345
  • 1,651
  • 9
  • 10
  • Of course, you are right. But in such very common software (JVM, for example) critical bugs get noticed more quickly, because, well, the same JVM is used by thousands of applications... so when an application is written by a *mere mortal*, it would have lesser chance of having buffer overflow vulnerabilities if it's written in a managed language like Java instead of C, because JVM is checked far more frequently. – Display Name May 22 '14 at 16:45
  • I want to say that if N apps use 1 virtual machine, then only that one virtual machine need to be checked for buffer overflow attacks. But if all apps are done in native unsafe language, then all of them must be checked — roughly N times more time to check (assuming these apps are big enough to be non trivial) and there are not so many humans who are good at finding security issues – Display Name May 22 '14 at 16:48
  • >very common software (JVM, for example) critical bugs get noticed more quickly I do not fully agree with this. Internet Explorer is the most popular web browser but has an abysmal record for security. – user2675345 May 23 '14 at 09:55
  • Internet Explorer is mostly used by people who don't care about security and convenience, I guess (even if it is at the same time the most popular, which is doubtful), and because of this it may be checked not so thoroughly – Display Name May 23 '14 at 10:12