I just recently finished reading Secure Coding in C and C++ by Brian Seacord, who works for CERT.
Overall, it’s an excellent book and I would recommend it to any programmer who hasn’t yet read it. After reading it, it occurs to me that for all the various types of security vulnerabilities (such as exploit code injection, buffer overflows, integer overflows, string formatting vulnerabilities, etc.), every single security hole seems to come down to one thing: the ability to access a memory address that isn’t bounded by a buffer that was legitimately allocated by the process.
The ability to inject malicious code, or reroute the program logic depends entirely on being able to access memory addresses that fall outside legitimately allocated buffers. But in a language like Java, this is simply impossible. The worst that could happen is a program will terminate with an ArrayIndexOutOfBoundsException, leading to a denial-of-service.
So are there any security vulnerabilities possible in “safe” languages like Java, where invalid memory accesses are not possible? (I use Java as an example here, but really I’m interested in knowing about security vulnerabilities in any language that prevents invalid memory accesses.)
Of course a book focused on C / C++ will focus on the most common exploit. Memory tricks on the stack and so forth.
As for the “obvious” example of a language with plenty of security cavats without any direct memory access… hows PHP? Aside from the usual XSS, CSRF and SQL injection, you’ve got remote code injection on older versions of PHP because of include magic and so forth. I’m sure there are Java examples, but I’m not a Java security expert…
But because Java Security experts do exist, I’m sure there are cases that you have to worry about. (in particular, I’m sure SQL injection also plagues naive web Java Developers).
EDIT: off the top of my head, Java does have dynamic loading of classes through ClassLoader. If you were to write a custom class loader for some reason, and you didn’t verify the .class files, then you would open your program up to code-injection. If this custom class loader somehow read classes from the internet, then it would also be possible to have remote code injections. And as strange as it sounds, this is pretty common. Consider Eclipse and its plugin framework. Very literally, it is loading downloaded code automatically and then running them. I admit, I don’t know the architecture of Eclipse, but I bet you that security is a concern for Eclipse plugin developers.