Sunday, November 24, 2013

Java is OK

The typical entrenched C++ developer when asked about Java
I'm sure you've heard the alarmist headlines.  The intertubes are clogged with articles titled things like "Java is Insecure and Awful, It’s Time to Disable It", "Homeland Security warns to disable Java amid zero-day flaw", or "Uninstall Java Now!".  This modern day witch hunt is entirely groundless.  Java is not, as some may have you believe, inherently insecure.  Java's only long-standing security hole is that its users refuse to update to the latest version and instead insist on sticking with software that came out in 2006!  I'm here to say "relax! Java is OK".

C++ developers decrying Java as insecure is a paragon of hypocrisy.  Because Java doesn't permit access to memory management or pointers, a whole class of bugs and security flaws are rendered impossible.  For example, let's say we have an int array called arr that is 5 ints long.  In C++, it's perfectly legal for us to reference the value arr[-1] (http://ideone.com/JFrEnm), but in Java such a silly statement is automatically decried as an exception (http://ideone.com/Ah1kLn).  The reason is that Java abstracts away the subscript operator (the "hard brackets" []) as a function call that fetches the given index from the internal array implementation, whereas the C++ subscript operator performs simple pointer arithmetic.  In C++, arr[3] is identical to *(arr + 3) (http://ideone.com/JFrEnm).  The second statement evaluates the address that the arr pointer refers to and adds 3 to it, then dereferences (gets the value at) the new memory location.  So in C++, arr[-1] just refers to the value held one unit before the address that arr points to.  It's crazy that this is allowed, because THERE IS NO WAY TO KNOW what is held at a memory location beyond the bounds of the array!  If this is ever used in real code it's a bug or a hack.  Even if out-of-bounds values weren't permitted with the bracket notation, C++ programmers could get around this by doing pointer arithmetic, but there's simply no way to do this in Java.

"If you have Java installed and want to ensure that your system is secure, Oracle strongly recommends that you upgrade to the most recent release."

Similarly, Java throws an exception if one attempts to use a null (uninitialized) pointer (http://ideone.com/dr8enx), but it's perfectly legal to do so in C++.  Furthermore, "dangling pointers" are almost impossible to create in Java but are commonplace in C++.  Memory leaks are nearly as rare in Java because of the almighty garbage collector.  I can't think of a way to create a buffer overflow in Java (that is, I think if an unchecked buffer overflow occurred the program would just stop), which covers a wide variety of holes (please feel free to correct me on this).

Lucifer, the quinteſſential demonic being
Pseudo-pundits would have you believe that if you use Java your daughters will start dancing naked in the woods, engage in ſinful behaviors and conſort with ye demonic beaſts.  This madly anti-Java mindset is likely fueled by ignorance, and is evocative of the misguided Reverend Parris from Arthur Miller's The Crucible.  Those unfamiliar with Java denounce it as riddled with security holes because they do not believe themselves capable of learning a new language.  Like Parris, if they fear they are losing control of a situation, they spout wild and unfounded accusations to prevent their own inadequacy from coming to light.

The largest Java security vulnerability is the fact that most users are running Java SE 6, which is no longer supported by Oracle (see http://en.wikipedia.org/wiki/Java_version_history).   You can't blame Oracle for pulling support from a version of Java that came out in 2006!  People, you need to update your freakin' Java!  The update dialogs are annoying for a reason.  Later versions of Java are well supported and actively developed by the good people at Oracle.  From the Oracle website: "If you have Java installed and want to ensure that your system is secure, Oracle strongly recommends that you upgrade to the most recent release."

Anyone looks like a witch with a carrot on their nose
Java's critics may try as much as they like to pin the update carrot on Duke's almost immaculate nose, but truly skilled programmers will see through their fallacious argument and simply update their Java versions rather than join in on the witch hunt.  I urge you, as John Proctor urged the people of Salem in the Crucible, to see through the lies.  In the meantime, though, it wouldn't hurt to update Java.
Evil Witch or
Versatile programming language?

No comments:

Post a Comment