Forgot your password?
Close
typodupeerror

Comment The whole idea of "unsafe code" is a myth. (Score 1) 678

by benrg0 (#2970907) Attached to: Bill Joy's Takes on C#

The whole idea of "unsafe code" is a myth. Only operating systems can be unsafe.

Linux and NT have always allowed even the lowliest user to create a file with any arbitrary code in it, give it executable privileges, and run it without endangering other users. This is exactly the right model for code downloaded off the web. It should be run in a separate VM as user "foreign_code_from_sitename.com", and that user's privileges should be restricted in just the way that a Java app's privileges are restricted.

There are only two reasons this hasn't happened:

  1. Most people are running insecure OSes like Win9x and MacOS 8.
  2. The designers of the UNIX and NT platforms didn't anticipate the fine control of user privileges that would be desirable for downloaded code. You can't, for instance, restrict a user to connecting only to a specific domain on the net (as far as I know). Nor can you restrict a user to accessing only a specific set of files: instead, you have to restrict each file to certain users, which is exactly backwards.

The first problem will eventually go away on its own. The second problem can, and should, be fixed by extending the user privilege concept at the operating system level.

Instead, the designers of Java basically reimplemented the protected VM concept at the application level. Given that they didn't control most users' hardware or OS, this was probably the best they could do -- but it was nothing more than a gross hack, and it should be treated as such. What really bothers me about it is that they don't seem to have noticed that they were reinventing the wheel, and instead have tried to present the concept of secure executable code as though it were a radical new idea.

Using a "safe" (i.e. type-safe) language can still be a good idea, when protection against a large class of hard-to-find bugs is more important than run-time performance. And using interpreted bytecode (aka P-code) is often a good way to make your software portable. But those are matters of reliability and portability, not security, and they can and should be left up to each individual software architect. When you're running on a machine which has very fast security support in hardware, any platform which has no way to safely run arbitrary unsigned machine code is pathetically broken. And that seems to be true of both Java and .NET.

Slashdot Top Deals

It isn't easy being the parent of a six-year-old. However, it's a pretty small price to pay for having somebody around the house who understands computers.

Close