java security

一些笔记来自《Chapter 3 of Inside the Java Virtual Machine》

 

 

 

 

1。JAVA的一些安全机制：

• type-safe reference casting
• structured memory access (no pointer arithmetic)
• automatic garbage collection (can't explicitly free allocated memory)
• array bounds checking
• checking references for null

2。

structured memory access--is the unspecified manner in which the runtime data areas are laid out inside the Java virtual machine.

When the Java virtual machine loads a class file, it decides where in its internal memory to put the bytecodes and other data it parses from the class file. When the Java virtual machine starts a thread, it decides where to put the Java stack it creates for the thread. When it creates a new object, it decides where in memory to put the object.

结构化内存读取，由JVM自动分配数据内存地址，由于没有在VM SPEC里没说明内存地址、CLASS文件也没有说明、各种JVM的实现也不同，所以黑客很难找到内存地址实现恶意代码。

 

 

3。First of all, the robustness guarantees don't hold for native methods. Although you can't corrupt memory from a Java method, you can from a native method. But most importantly, native methods don't go through the Java API (they are how you go around the Java API) so the security manager isn't checked before a native method attempts to do something that could be potentially damaging.

本地方法是不安全的，它不经JAVA的安全管理器校验

 

 

4.One final mechanism built into the Java virtual machine that contributes to security is structured error handling with exceptions. Because of its support for exceptions, the Java virtual machine has something structured to do when a security violation occurs.

结构化的异常捕获机制，防止系统死。

Throwing an error (as opposed to throwing an exception) almost always results in the death of the thread in which the error was thrown.

异常只能终止该线程，不能终止整个系统。

 

5.安全管理器方面：

Prior to 1.2, java.lang.SecurityManager was an abstract class. To establish a custom security policy in 1.0 or 1.1, you had to write your own security manager by subclassing SecurityManager and implementing its check methods.

 

The concrete SecurityManager class allows you to define your custom policy not in Java code, but in an ASCII file called a policy file .

 

 

 

page 6