Encapsulation vs Security

Here’s my ten-word review of Joshua Bloch’s Effective Java: If You Write Java, You Need To Read This Book.

I wanted to say that up front, because I’m about to talk at great length about one of its shortcomings, which would give the impression, purely by wordcount, that I don’t think it’s a good book. This is just a reflection of how many more words it takes to explain a negative point than a positive one. The book is irrefutably useful and you should read it (if you write Java).

To give the issue a bit of context, here’s a fact that I was only dimly aware of before doing some mid-reading research:

If you get the security settings right, the Java Virtual Machine guarantees access control.

If you declare a field private, and you’re running a trusted JVM, and the security manager is set to disallow JNI and changing accessibility through reflection and a handful of other things, then you can run untrusted third-party code in the same process and even pass those objects to the untrusted code and it will never be able to get at the private field.

This is such a big deal that I don’t understand why it isn’t a bigger deal. It’d be impossible to make this kind of claim in a natively compiled language, because you can always pointer-arithmetic your way to the private data. Python makes only the vaguest of gestures in the direction of information hiding, and certainly doesn’t guarantee it. Maybe C# and the rest of the .NET family make some guarantees, I’m not sure (although whether you’d trust Microsoft to get the security right is a different story (but then, the same question should be asked of Sun Oracle)).

Here’s the issue though. This means that access control in Java actually has two different (although overlapping) purposes: encapsulation, and security. And they’re not the same thing.

Encapsulation is about reducing the complexity and increasing the abstraction of classes by hiding their implementation. Security is about stopping people from seeing or changing data that they shouldn’t be able to. Security is for protecting users from malicious programmers; encapsulation is for protecting programmers from themselves.

Security at this level isn’t always possible. If you’re writing a library for other people to use in a JVM that they control, you can’t expect to hide anything from them – they can turn the security manager way down, or change your bytecode, or run a modified JVM. (At university we had an assignment that involved black-box testing of algorithms that we were given as obfuscated JARs. I worked out that you could peek at some of the internals by rebuilding the Java standard libraries with String declared non-final, and passing in a subclass with some instrumentation added. And no, I didn’t actually do it.)

Most times that someone compromises their own system, they can only do damage to themselves. Of course, you probably still want to make your library as tight as possible so that it isn’t a security hole for other code that it interacts with. The point is that it can be dangerous, or at least an unnecessary programming burden, to rely on language guarantees for security if you’re not always going to have control of the platform.

On the other side, encapsulation isn’t always desirable. Well, maybe it is. There’s heated debate about this. Some people (many of them Java devotees) argue that programmers will find and use every available undocumented feature, and anything you inadvertently expose will doom you to support it forever. Others (e.g. a high proportion of Python fans) say that an API is as much a social contract as a technical one, and that if someone wants to work around an interface that doesn’t meet their needs then, well, we’re all adults, and they’re welcome to do so as long as they accept the consequences if the implementation changes.

The point is that encapsulation and security are different requirements. Making a field private because it’s an implementation detail is one decision; making a field private because using it would open a security hole is a very different decision. If you try to squeeze the concepts into one then at some point you’re going to make a poor decision. And now we get to my one (and minor) gripe with Effective Java: it doesn’t do enough to distinguish between them.

Some of Bloch’s points (e.g. Item 10: Always override toString) are clearly about programmer-friendly abstractions. Other points (Item 76: Write readObject methods defensively) are clearly about security – no programmer would (or could, reliably) exploit it just to get around API restrictions. In one place (Item 39: Make defensive copies when needed) he mentions that a particular security measure has a big enough performance hit that it can be valid to leave it open, if it’s in an environment where misuse will only hurt the (mis)user. But in other places it’s not so clear exactly what kind of advice he’s giving, which could lead readers to apply the advice in the wrong way.

Part of this might be that Bloch is writing from the perspective of someone who worked on the Java platform APIs, which sit in the part of the Venn diagram where encapsulation and security do overlap: they’re widely used, so any leaky implementation details are guaranteed to become a compatibility issue; and they’re the basis for every other API (even a trivial class extends Object) and available to malicious code even on a trusted JVM, which effectively makes them part of the platform’s security guarantee. And I suppose you could argue (indeed, he says something similar to this in the introduction) that you don’t always know where your code will end up, so aiming for as much encapsulecurity as possible isn’t a bad thing.

And frankly that’s a pretty good argument. Which is why you still need to read this book.

(A few other things bugged me while reading it, but most of them were directed at Java rather than the book itself. There might still be another post or two in this topic.)

19 Comments »

  1. The Little Guy — Dave's Programming Blog

    November 28, 2010 @ 8:50 pm

    [...] said at the end of my sort-of review of Effective Java that a few things bugged me while reading it, not about the book, but about Java itself. These [...]

  2. Anonymous

    January 29, 2013 @ 7:52 am

    hi!,I like your writing so much! percentage we communicate more approximately your
    article on AOL? I need an expert in this area to solve my problem.
    May be that’s you! Taking a look forward to see you.

  3. business insider twitter

    June 11, 2015 @ 11:16 pm

    Usually, formality relates to how one reveals respect in business communication.

  4. chemistry tutoring jobs nyc

    June 26, 2015 @ 4:08 pm

    Quantum physics is one of the most attention-grabbing
    branches of physics, which describes atoms and molecules, as
    well as atomic sub-construction.

  5. pornstache season 3

    August 31, 2015 @ 12:10 am

    sex and the city
    Pornographic shows
    Sexual fetishism
    Heart Rate Monitor
    sex offender

  6. http://www.otavaloempresarial.com

    December 8, 2015 @ 9:11 pm

    If some onee wishes to be updatwd with latest technologies
    afterward he must be pay a quick viit this website and be up to
    date daily. http://www.otavaloempresarial.com

  7. ACCA APC

    June 22, 2016 @ 8:50 am

    My brothe recommended I may like this web site. He used
    to be entirely right. This publish truly made my day.
    You cann’t believe simply how so much time I had spent for
    this information! Thanks!

  8. country rustic wedding invitations

    July 12, 2016 @ 11:03 pm

    It’s hard but at least he will get some things for It sounds like his dad will provide at least things to Good luck!

  9. Lori

    August 26, 2016 @ 11:05 am

    Great steam showers, we had a unit built around 5 years ago and it may possibly do with replacing, would never buy
    a boring old regular form of shower again

  10. fashion bloggers over 30

    August 28, 2016 @ 1:40 pm

    It¡¦s beautiful value sufficient for me. In my opinion, if all website owners and bloggers made just right content material materials as you probably did, the internet may be much more helpful than ever before.

  11. http://room2shoppers.com/

    September 15, 2016 @ 1:28 pm

    Lots of superb advise on this site, want to have a
    steam shower unit inside my bathroom

  12. Roberto

    September 18, 2016 @ 12:21 pm

    Adore this incredible website, great information here, was actually a tiny bit sceptical around
    getting a steam shower unit for our home but the information here sorted my mind out, fantastic thanks for your insight

  13. Roberto

    September 24, 2016 @ 1:03 am

    Looked over this web site and purchased a steam shower and never looked back, amazing info on this site cannot say thanks enough

  14. web design jobs seattle

    September 24, 2016 @ 7:46 am

    JPMorgan Chase & Co, which has announced plans to enhance compliance across the bank because it faces a bevy of regulatory investigations,
    has greater than 300 job openings for anti-money laundering professionals, in accordance with its web
    site.

  15. http://all4webs.com

    October 19, 2016 @ 2:55 am

    Lots of excellent guidance on this website, really need a
    steam shower unit within my bathroom

  16. water systems council

    December 18, 2016 @ 6:33 pm

    This page’s goal will be to record the development of
    our off-grid water alternative, share resources and tools we discuss, and discover not useless both breakthroughs and ideas we find along the approach.

  17. Jared

    April 16, 2017 @ 1:15 pm

    Hello, after reading this awesome paragraph
    i am as well happy to share my knowledge here with friends.

  18. bij wie hoort dit gratis mobiele nummer

    June 9, 2017 @ 12:42 pm

    I was suggested this blog by means of my cousin. I’m not sure whether or not this
    post is written via him as no one else know such
    specified approximately my problem. You are incredible!
    Thank you!

  19. φθηνη ασφαλεια

    June 19, 2017 @ 2:34 am

    Very soon this website will be famous among all blogging and site-building people,
    due to it’s good articles

Leave a Comment