I'm just coming over from Java and am wondering about Ruby security compared to
Java.
I know that Java is pretty isolated from the operating system. All your apps run
in a JVM and are governed by security policies that can be very fine grained and
disallow you from accessing disks or even loading classes if desired.
One of the big issues, for example, with M$'s web technology is that it's so
tightly integrated to the OS that when it's compromised, the compromizing code
can do a lot of damage. Java makes it harder for attackers to access the
underlying OS.
What about Ruby? From my initial work with the OS, I don't see anything that's
as agressive as Java's isolation from the OS. Since Ruby isn't as widely used
(and hasn't been hacked at as hard), how can I be sure that buffer overrun's
won't show up throughout the code that will make Ruby innappropriate for use as
a production platform?
Also, if a serious security problem is found, how is it responded to and how are
patches distributed?
I'm just coming over from Java and am wondering about Ruby security
compared to
Java.
I know that Java is pretty isolated from the operating system. All your
apps run
in a JVM and are governed by security policies that can be very fine
grained and
disallow you from accessing disks or even loading classes if desired.
One of the big issues, for example, with M$'s web technology is that it's
so
tightly integrated to the OS that when it's compromised, the compromizing
code
can do a lot of damage. Java makes it harder for attackers to access the
underlying OS.
What about Ruby? From my initial work with the OS, I don't see anything
that's
as agressive as Java's isolation from the OS. Since Ruby isn't as widely
used
(and hasn't been hacked at as hard), how can I be sure that buffer
overrun's
won't show up throughout the code that will make Ruby innappropriate for
use as
a production platform?
Also, if a serious security problem is found, how is it responded to and
how are
patches distributed?
Ruby has a different way to handle security than Ruby. Instead of the
security manager/ class loader combo. It's possible to taint objects.
Id est, to mark them as "insecure" and act accordingly. While the
flexibility of this system is lower, it covers the most usual cases and
it's simpler.
Like in Java, if you write in "pure Ruby" it's impossible to have
buffer overruns (unless there is a bug in the interpreter). That's why
is "safer" than C code.
I don't know how are the security updates handled or if some security
patch was ever needed.
> --- Ursprüngliche Nachricht ---
> Von: Kevin Bedell <kevin@kbedell.com>
> An: ruby-talk@ruby-lang.org (ruby-talk ML)
> Betreff: Ruby Security?
> Datum: Thu, 10 Nov 2005 00:41:32 +0900
>
> Hey all -
>
> I'm just coming over from Java and am wondering about Ruby security
> compared to
> Java.
>
> I know that Java is pretty isolated from the operating system. All your
> apps run
> in a JVM and are governed by security policies that can be very fine
> grained and
> disallow you from accessing disks or even loading classes if desired.
>
> One of the big issues, for example, with M$'s web technology is that it's
> so
> tightly integrated to the OS that when it's compromised, the compromizing
> code
> can do a lot of damage. Java makes it harder for attackers to access the
> underlying OS.
>
> What about Ruby? From my initial work with the OS, I don't see anything
> that's
> as agressive as Java's isolation from the OS. Since Ruby isn't as widely
> used
> (and hasn't been hacked at as hard), how can I be sure that buffer
> overrun's
> won't show up throughout the code that will make Ruby innappropriate for
> use as
> a production platform?
>
> Also, if a serious security problem is found, how is it responded to and
> how are
> patches distributed?
>
>
>