Scott Brickner <sjb@universe.digex.net> wrote:

And later:

The Java bytecode is where the security properties must ultimately be verified . . . . Unfortunately, it is rather difficult to verify the bytecode. . . . The present type verifier cannot be proven correct, because there is not a formal description of the type system. Object-oriented type systems are a current research topic; it seems unwise for the system's security to rely on such a mechanism without a strong theoretical foundation. It is not certain that an informally specified system as large and complicated as Java bytecode is consistent.

And in the conclusions:

We conclude that the Java system in its current form cannot easily be made secure. Significant redesign of the language, the bytecode format, and the runtime system appear to be necessary steps toward building a higher-assurance system. . . . Execution of remotely- loaded code is a relatively new phenomenon, and more work is required to make it safe.

I do think that the ideas embodied in Java are very important, and will significantly shape the future of computing, but Java itself may be just a stepping stone on the way.

Given the crowd here, this is likely stating the obvious, but it has never failed to provoke spluttering from the Sun employees I have tried it on. The thing not mentioned in this excerpt is that at best, the verification will have been done for the Sun implementation of the byte code engine. There have been announcements of competing implementations of the the engine, and any assumptions of safety are out the window in that case. Sun doesn't have any control over Java the byte code engine, anyone who wants can build one. (and at 40kb total size, it is a tractable thing for an undergrad that didn't manage to find a summer job). Sun does control Java the logo, and can deny a license to use it. That is likely to become a meaningless distinction -- If somone will install a disk recieved unsolicited in the mail, or handed to them at a trade show (how hard can it be to re-seal AOL packaging, such that a casual recipient won't notice), they aren't bright enough to insist on genuine Sun brand Java. If it becomes an expected thing, that all browsers/os's/toaster-ovens have a java byte code engine in them, there will be a sizable number sold without "benifit" of trademark (at the low end if nothing else, Sun does expect to be paid to use the steaming cup). Not all of them will have sufficient rigor applied to their development. Once common, then things get interesting. The press will (for lack of anything else to do, as all the engines are supposed to act identically) start to benchmark the competing implementations. At that point, under pressure to "get good numbers", some of the more "expensive" operations will be "tuned". Other restrictions might be sacrificed in order to have something ready for Comdex... Can't happen you say? I still remember when some of the PC video makers got caught special casing the strings in one of the big magazines benchmarks. Unfortunately, Sun has designed a fine example of a "Square Peg". As OAK, it was a moderately good fit for the intended use. With zillions of set top boxes, and a limited number of sources of product (national/regional controlled entry broadcaster model), you had to have remote execution, nobody could build a big enough set of servers. Since it was coming from a broadcaster, you could get away with trusting signed code -- not just any bozo can get video broadcast nationally (unless it is violent, and even then they time base correct it), the same would be true of set top code. Since it meant selling hardware (engine in rom), there would be a limited number of sources of system code -- the above mentioned undergrad would find it difficult to find enough capital to get a mass market hardware product to market. And when you get down to it, with only a few meg of ram, and no disk, there really wasn't a huge amount of data to compromise. Now lets examine what they are trying to do with it. It is a software only item currently, thus it has very low entry barriers. Code can be put up by any bozo with $10/month to pay a local web provider -- even if the code is signed, you may not be able to get at the author of an applet, either because of national boundries, or anonymity. And you get to run the stuff on a machine with a lot of state (all the dells and gateways sold today had at least a gig of state spinning there to browse), and a live net connection (back to the source if nothing else) to transmit interesting things back with. Looks like a bad fit to me. But the PR department does have a big hammer, and they are beating on it, and the hole is starting to give a bit -- they have it forced about halfway now... To get a round peg, they have to build a system at the A2 trust level. That means a verified design, and an implementation checked against that design. Sun hasn't done the design side of the game, if the comments made about the design by the Princeton group are accurate. Lacking a verifiable design, even Sun's implementation must be doubted. But it doesn't end there, the browser that surrounds the byte code engine can compromise even a good implementation (as netscape has demonstrated), and last, Sun has no way to ensure that everything that executes the byte codes is a "good" implementation. We don't even have to assume malicious intent on the engine builder, accidents have already supplied us with enough examples of how it can go wrong. (tho it is easier if you put the hole there -- you don't have to be skilled enough to find a hole to exploit, just good enough to add a hole to an existing implementation) <dp>