Michael Meyer mike65134 at yahoo.de
Sun Aug 14 04:53:07 PDT 2005


I am currently evaluating the possibility of building
a java application server intended for critical
production use from scratch using HLFS and JDK-1.5.0
from the BLFS and MySQL from the BLFS. There might be
an advantage in building the JDK from scratch as
potential buffer overflow holes in the Sun JVM could
be prevented from being exploited by compiling the JDK
with the a stack smashing protected compiler. This
might be useful as the only service this machine would
offer would be a java application running on this jvm.
So a remote attack would only be successfull if the
attacker could exploit 
1) A bug in the Java application itself. 
2) A bug in the JVM of sun.
3) A Bug in the Linux kernel.
4) Maybe also a bug in the glibc.
This is why I figure that (besides an exessivly
auditing of the source code of the java application), 
building a HDLS system and compiling the JVM from
scratch with a SSP-Compiler might be a useful measure
to improve security.

However, I have trouble determining if the JDK-1.5.0
build from scratch is really intended for critical
production use, or for research purposes only: The
downloaded source code from Sun is labeled as
jdk-1.5.0. Also the each and every source code file
within the .zip archive is dated 2004-10-19. Which is
roughly the release date of JDK 1.5.0_00. 

So I have the following questions:
1) Is the JDK build from scratch described in 
a build of 1.5.0_00 or 1.5.0_04?
2) Is it possible to obtain a patch set from Sun to
patch the JDK-source-code from 1.5.0_00 to 1.5.0_04? 
3) Do you think it is sane to deploy a mission
critical java application on a HLFS + self compiled


Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de

More information about the blfs-support mailing list