At 3:44 PM +0000 11/15/06, Pete Shanahan wrote: > ljknews wrote: >> At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: >> >>> That makes a Java >>> inappropriate >>> for a lot of system-level programming tasks. Simple example: There's no >>> way >>> in pure Java that I can lock a process in memory. Wrt this list, that >>> has >>> a lot of security ramifications especially on shared processors. Sure >>> makes >>> hiding secrets a lot harder.
I did not write any of that. > It's an operating system feature where you can lock a chunk of the memory of a > process such that it is not swapped out at any time. > > see the specs for mlock, madvise. Those words mean nothing to me, but I presume you are talking about either locking a page into memory: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_081.html#jun_369 or locking a page into the working set: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_082.html#jun_373 or preventing an entire process from being swapped out: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_105.html#jun_526 None of those resolve the responsibility of the operating system to remove residue from memory before transferring it to another user. That is true regardless of whether the process is running compiled code or a bytecode engine (which is the real issue, not the implementation language). > win32, I believe has an even more feature ridden facility for secure memory. > > on the receipt of abnormal termination signals this memory can be cleared, > thus > keeping the secret safe, so you could produce a process crash dump that is > sanitized for sending to a support group. Yes, that is present in my environment as well. Is the problem that the bytecode engine used with languages like Java do not have a function to exclude certain parts of memory from process crash dumps ? That was not clear from the prior statement. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php