How Java is secure?

Question

I know Java doesn't support concept of pointers, which actually can provide you address of the variable or an object. But what do you say in this case

A a1 = new A();    
System.out.println(a1);

here a1 is one reference variable which points to object of class A. But when I print a1, it prints the address of the object.

So, I mean to ask is when I can get address of the object (that too fully qualified address) in Java also, how it could be safe?

Can somebody clear my concepts on Java is safe. Thanks in advance.

"But when I print a1, it prints the address of the object." I doubt that. — Fildor, Oct 22 '13 at 10:59
What exactly is *not safe* here, and what do you mean by that? — Eel Lee, Oct 22 '13 at 11:00
If you don't want to be able to create instances of your class, then don't write a (public) method that creates instances of your class! — Oliver Charlesworth, Oct 22 '13 at 11:01
You seem to assume that to keep object address secret has something to do with "security". Why on earth? — leonbloy, Oct 22 '13 at 11:07

score 4 · Answer 1 · answered Oct 22 '13 at 11:03

The number printed by Object.toString() is not an address. It’s the identitiy hashcode. This number might be derived from the address but you don’t know how or if at all.

Even if it was the address you can’t do anything with it as you can’t access arbitrary addresses.

The question whether creating instances of your class is security relevant is a decision up to you. If so, you must take action to ensure that only allowed entities may create such instances.

score 3 · Answer 2 · edited May 23 '17 at 10:30

3

What is printed actually is the "identity hash code", not the address (see here). And even if it was the address, it would be a read-only information that cannot be used to perform unsafe pointer references.

edited May 23 '17 at 10:30

Community

1
1

answered Oct 22 '13 at 11:03

Piovezan

3,215
1
28
45

score 1 · Answer 3 · answered Oct 22 '13 at 11:04

But when I print a1, it prints the address of the object.

No it does not print the address of the object. When you try to print an object its toString method is called and the default toString method output will contain, class name and the unsigned hexadecimal representation of the hash code of the object separated by @` . symbol

So, I mean to ask is when I can get address of the object (that too fully qualified address) in Java also, how it could be safe?

You never get the memory address of the object and you cannot manipulate that either.

score 1 · Answer 4 · answered Oct 22 '13 at 11:06

1

Java is safe, unless you are using sun.misc.Unsafe. What println(a1) prints is not specified, it need not to be an address. And even it were an address, you have no legal ways to read or write using it.

answered Oct 22 '13 at 11:06

Alexei Kaigorodov

13,189
1
21
38

If you're running native code through JNI, then you presumably *could* access arbitrary virtual memory addresses... – Oliver Charlesworth Oct 22 '13 at 11:56

score 0 · Answer 5 · edited Apr 12 '17 at 07:31

well for your very first question i would ask you to read this and give some more burden to your brain understanding the difference,

for second one, considering you as a programmer, you can put the restriction of keeping things of a class private by not creating the method for object generation you are talking about(first)

second, you can provide methods through which user can access only the portion of the class he/she is supposed to(which again is restriction put by you by coding it such a way)

and according to me, we should worry about how secure our code is than how secure the platform is :)

score 0 · Answer 6 · answered Oct 22 '13 at 11:09

So, I mean to ask is when I can get address of the object (that too fully qualified address) in Java also, how it could be safe?

First off, reference to an object does not mean a pointer to an object. It could (theoretically) be a double pointer, it could be a triple pointer with an offset, or anything else, as long as it references the object by some specific convention. Of course, the simplest convention is a direct pointer to the object, but the Java language doesn't bother to spell that out (as far as I know) because it's an implementation thing.
Java is a different language than C and C++, so it defines its own semantics for the operators. So, to put it simply, in Java, & is not the "address of" operator because the language designers have defined it like that. There is no "address of" operator regardless of whether references as implemented as simple pointers. The philosophy behind this is, of course, avoidance of pointer arithmetic and memory safety.

Also, in other case, if my class A is private, so you can't create an object of it, but what if I create a method inside this class which is used for creating objects of this class. And I just call this method wherever I want to create an object of this class!!!

I think this question is not making any sense. Class A cannot be a Private if it is not a inner class.

How Java is secure?

6 Answers6