Is standard Java immune to memcpy security flaws like the recent open ssl heartbeat flaw?

Question

Recently, the library openssl has been revealed to have a serious flaw that enables attackers to read up to 64KB of memory.

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

The cause seems to be due to the use of memcpy and not cross checking the size of the input provided by the attacker.

If we assume standard libraries (not calling out to C), is Java immune to these types of security flaws?

To be more specific about type of security flaw, I'm not referring to trusting user input, but specifically bounded memory access.

Define "immune"? I would say safer then C. There is no such thing as bug free software. Also, the operating system might be compromised. Java is not a panacea. — Elliott Frisch, Apr 08 '14 at 18:37
No but I'm not claiming bug free software, instead if its immune to a particular class of errors. I could be extreme in this example, Linux is obviously immune to windows executable viruses since it can't even run them. — bmillare, Apr 08 '14 at 18:39
See section “Get answers to practical, detailed questions” in http://stackoverflow.com/tour — Pascal Cuoq, Apr 08 '14 at 18:41

DNA · Accepted Answer · 2014-04-08T20:12:08.937

3

Java is safer, because it doesn't use pointer arithmetic, does bounds checking, and doesn't (normally) allow one to access arbitrary chunks of memory (see sun.misc.Unsafe !).

However, similar problems could arise, in principle, if one reads and writes bytes from an array, ByteBuffer, etc according to offsets provided by an untrusted client. The problem is much reduced, because one can only attack data within the bounds of that array (or similar container) rather than data in arbitrary adjacent objects.

Even with Unsafe, one would typically be, uh, Safe, because one tends to use it for allocating and accessing a very specific set of performance-critical objects, rather than the entire application (including encryption keys, passwords, etc).

The fundamental problem is trusting user input, and that can happen in any language, and a whole variety of contexts, e.g. SQL injection.

edited Apr 08 '14 at 20:12

answered Apr 08 '14 at 18:39

DNA

42,007
12
107
146

The `java.misc.Unsafe` bit implies that the answer to the question is a straightforward "no". – Fred Foo Apr 08 '14 at 18:41
2

No, Java is not immune ;-). However, `Unsafe` is pretty exotic, and one has to deliberately choose to use that exotic (undocumented!) feature to define an unsafe region of memory, rather than it happening by accident through normal usage of the language. – DNA Apr 08 '14 at 18:41
I posted a variant that doesn't involve `java.misc.Unsafe`. – Fred Foo Apr 08 '14 at 18:55
Yes, that's a good one! – DNA Apr 08 '14 at 18:56
That **sun**.misc.Unsafe!!! – Tom Hawtin - tackline Apr 08 '14 at 20:11

Is standard Java immune to memcpy security flaws like the recent open ssl heartbeat flaw?

1 Answers1