Date: Thu, 18 Aug 2005 13:55:59 +0200 (CEST) From: Michael Meyer <mike65134@yahoo.de> To: Ian G <iang@iang.org> Cc: freebsd-java@freebsd.org Subject: Ant: Re: JDK 1.5.0_0x-Patches available? Message-ID: <20050818115559.23958.qmail@web26808.mail.ukl.yahoo.com> In-Reply-To: <430468D8.3080903@iang.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you very much for all this information! > very comprehensive test setup is passed. In > effect Sun only supports Java in the very large > platform bases such as Linux and Microsoft, which > accounts for Java's penetration in finance, but > few other places. >From a sun perspective this might be a very sane choice: If somebody wants to deploy a mission critical java application, he cannot use windows (maybe nowadays Windows Server 2003 - I don't know), but has to use Solaris on Ultrasparc (or IBM Java on AIX/zOs). Only recently Linux catched up somewhat in terms of reliability, which is really bad for sun. FreeBSD probably was a Solaris contender right from ther beginning, so they did not make the mistake to support Java on FreeBSD. The problem with Linux is that IBM also supports a JDK for it. So I guess it does not matter if they drop the Linux support now any more. > For the small markets, there is a sort of > researcher's licence which gives access to the > source, and then you can compile that up yourself > but you cannot distro it to anyone else. I knew that, but the source only seems to contain the initial 1.x.y_00 - release, not the 1.x.y_n releases with n > 0. So it is not really of any much worth for a production server (only if there is a die-hard sisyphus-team)? > > I am > > considering the possibility of compiling a 5.0 > JDK on > > linux with a gcc patched with stack smashing > > protection. > > I don't understand why Java would need that, > but I would definately like to - can you explain > more? I have to deploy a Java app which is really security critical (although not financial related). The obvious choice would be to put it on a Solaris 10 Server running on Ultrasparc and buy the most extensice support package Sun sells. Unfortunately, there probably won't be enough money to do that. So I thought of a Xeon-based Server from IBM/Dell/HP and of putting Linux on that box. I am currently evaluating the possibility of building a java application server intended for critical production use from scratch using Hardened Linux From Scratch and JDK-1.5.0 from the BLFS and MySQL from the BLFS. There might be an advantage in building the JDK from scratch as potential buffer overflow holes in the Sun JVM could be prevented from being exploited by compiling the JDK with the a stack smashing protected compiler. This might be useful as the only service this machine would offer would be a java application running on this jvm. So a remote attack would only be successfull if the attacker could exploit 1) A bug in the Java application itself. 2) A bug in the JVM of sun. 3) A Bug in the Linux kernel. 4) Maybe also a bug in the glibc. This is why I figure that (besides an exessivly auditing of the source code of the java application), building a HDLS system and compiling the JVM from scratch with a SSP-Compiler might be a useful measure to improve security. I know that Java prevents the possibility of Buffer overflows in the application source code. But there still might the possibility of a Buffer overflow in the virtual machine itself? > I understand that the patchsets are all created by > "project Sisyphus," an ever-toiling FreeBSD team of > heroes to advance the local home-build product. > > iang > > PS: they're not really called project Sisyphus :-) > It's what sticks in my mind every time I think of > installing Java. That sounds really, really heroic! ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050818115559.23958.qmail>