Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books]

Wed, 15 Nov 2006 10:30:14 -0800 

At 3:44 PM +0000 11/15/06, Pete Shanahan wrote:
> ljknews wrote:
>> At 8:18 PM -0600 11/14/06, Wall, Kevin wrote:
>> 
>>> That makes a Java
>>> inappropriate
>>> for a lot of system-level programming tasks. Simple example: There's no
>>> way
>>> in pure Java that I can lock a process in memory. Wrt this list, that
>>> has
>>> a lot of security ramifications especially on shared processors. Sure
>>> makes
>>> hiding secrets a lot harder.

I did not write any of that.

> It's an operating system feature where you can lock a chunk of the memory of a
> process such that it is not swapped out at any time.
> 
> see the specs for mlock, madvise.

Those words mean nothing to me, but I presume you are talking about
either locking a page into memory:

        http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_081.html#jun_369

or locking a page into the working set:

        http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_082.html#jun_373

or preventing an entire process from being swapped out:

        http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_105.html#jun_526

None of those resolve the responsibility of the operating system to remove
residue from memory before transferring it to another user.  That is true
regardless of whether the process is running compiled code or a bytecode
engine (which is the real issue, not the implementation language).

> win32, I believe has an even more feature ridden facility for secure memory.
> 
> on the receipt of abnormal termination signals this memory can be cleared, 
> thus
> keeping the secret safe, so you could produce a process crash dump that is
> sanitized for sending to a support group.

Yes, that is present in my environment as well.  Is the problem that the
bytecode engine used with languages like Java do not have a function to
exclude certain parts of memory from process crash dumps ?  That was not
clear from the prior statement.
-- 
Larry Kilgallen
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to