Menu
Google extensions could aid Java security

Google extensions could aid Java security

Borrowing a technique from Eiffel, Google is adding Design-By-Contract functionality to Java

Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.

Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC).

Google's implementation, called Contracts For Java, or Cofoja for short, is based off of Modern Jass, a set of Java annotations developed by Johannes Rieken.

Primarily touted as a technique to ease programming, Contracts could also provide an easy way for developers to guard against buffer overflow attacks, the researchers said.

One of the oldest techniques in the attacker's virtual arsenal, buffer overflows remain a problem. In December, Microsoft identified 2.6 million possible attacks that could be waged using a stack-based buffer overflow in the JRE (Java Runtime Engine).

In a nutshell, Contracts requires that each time a method is called in a running program, any values passed to the method must meet a set of predefined criteria. Likewise, each time a method returns a value, it must also meet a set of criteria.

"DBC should be understood as a contract between components of a software," said Rieken, in an e-mail interview.

The researchers borrowed the idea from another language, Eiffel, where the concept is known as Design-By-Contract (DBC). Eiffel advocates claim DBC makes that language more secure than most.

In their blog post announcing the release, the Google developers touted Contracts as a way to ease Java programming, as it helps pinpoint bugs in a complex body of malfunctioning code.

But Contracts can also help make Java code more secure, said Andreas Leitner, a testing software engineer at Google and member of the Cofoja team, in an e-mail.

"By annotating your code with contracts you are much more likely to reveal bugs in earlier phases of development," Leitner said. It could be particularly helpful in finding bugs that don't crash a program but nonetheless put them into "funny states," Leitner said. Such states could possibly "be exploited by attackers to gain ownership of data or machines," he said.

Even without DBC, Java already has a number of advantages over many other languages in terms of security, because it runs in a sandbox and requires programmers to define the data types of variables before they are used. However, DBC could provide additional security by preventing buffer overflow-styled attacks, where a program could be crashed or otherwise manipulated by the injection of a larger-than-expected input value.

A contract "can ensure that an input doesn't exceed a certain length," Rieken said. It could also ensure that invariant values remain the same when they are called.

"Such checks [are] for situations where the programmer usually says 'it wasn't meant to be used like that,'" he said.

The Google developers behind Cofoja are working on the project during the 20 percent of work time that Google allows its employees to pursue individual projects.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags OracleGooglesoftwareapplication developmentLanguages and standardsExploits / vulnerabilities

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments