The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
TechInterview.org
CityDesk
FogBugz
Fog Creek Copilot


The Old Forum


Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

is managed code a potential panacea against worms and exploits?

I have heard and read claims that managed code is supposed to be "secure". Well, so suppose we rewrite TCP-IP stack, all the internet-facing drivers, the browser, the email client and anything else that is somehow dealing with stuff coming from the internet into managed code, like Java. Will this all of a sudden massively minimize the threat from worms and Chinese hackers? Otherwise, what exactly is the big deal about managed code and security?
Michael L Send private email
Friday, May 01, 2009
 
 
It eliminates some attacks, but mostly it just kicks the problem higher -- look at the history of security flaws in web browsers.
d Send private email
Friday, May 01, 2009
 
 
Managed code will not protect you against SQL injection, for example. It minimizes the threat of buffer overflows, but does not prevent such things like exploitable race conditions, memory leaks (which can be a security problem), or other stuff.
quant dev Send private email
Saturday, May 02, 2009
 
 
There are a couple of things. Managed code should make problems like buffer overflow attacks and memory leaks harder. Java and .net also support running in sandboxed environments, making running apps over the internet safer.
Mike Swaim Send private email
Saturday, May 02, 2009
 
 
yes, I understand about SQL injections and so forth. However, let's consider a more narrow task - protection of personal computers connected to the web from worm or hacker attack. A personal computer cannot be targeted with SQL injection. Suppose we wouldn't deal with any flash, Word docs or stuff like that.  If we need to use Javascript, let's say we will write Javascript interpreter in managed code. And to eliminate the threat of social engineering let's imagine that we have Kevin Mitnick operating the computer or something :). Well, under such conditions would the managed code approach make our computer invulnerable to trojan installation?
Michael L Send private email
Saturday, May 02, 2009
 
 
Nothing in this world is going to make your PC invulnerable.  I think the first step should be in choosing better verbiage and defining the goals a bit more explicitly.
Fake Programmer Send private email
Saturday, May 02, 2009
 
 
"A personal computer cannot be targeted with SQL injection. "

Imagine a mail client which stores the address database in a SQL-database backend...
quant dev Send private email
Sunday, May 03, 2009
 
 
imagine a client that doesn't. ANALYTICAL solving of problems begins from RESTRICTING the problem domain. Hard problems are solved part by part. So can you stop muddying the waters and address the topic at hand?
Michael L Send private email
Thursday, May 07, 2009
 
 
Michael L:  Perhaps you need to take a deep breath.  If you make demonstrably false statements, do not be surprised if someone points out your error.

Sincerely,

Gene Wirchenko
Gene Wirchenko Send private email
Friday, May 08, 2009
 
 
Gene,

what false statement did I make? I am asking questions here. And I ask a question - if we restrict the problem domain to ignore email clients that use databases or users who are KGB plants while we are at it, will managed code protect us from worms or not?

Note that I am not trying to sell you anything, convince you of anything or call you bad names. I am just trying to hold a productive discussion here and learn new info on this topic.
Michael L Send private email
Sunday, May 10, 2009
 
 
"what false statement did I make? I am asking questions here. And I ask a question - if we restrict the problem domain to ignore email clients that use databases or users who are KGB plants while we are at it, will managed code protect us from worms or not?"

As already pointed out by quant dev, the false statement is "A personal computer cannot be targeted with SQL injection."

No, as already pointed out by others.  It might help -- just as locking one's door may help your home security -- but it is not a cure-all.

Sincerely,

Gene Wirchenko
Gene Wirchenko Send private email
Monday, May 11, 2009
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz