IP: Re: the Java bug

[David Farber <farber () central cis upenn edu>]

Date: Wed, 11 Oct 1995 07:49:07 -0700
To: farber () central cis upenn edu (David Farber)
From: Dave Crocker <dcrocker () brandenburg com>


At 1:42 AM 10/11/95, David Farber wrote:
> re-enforce worries stated on the net re the FUTURE problems
> with such active systems like Java and other remotely


        "Active systems" is a fancy term.  In casual conversation, we just
call them viruses...


[some call them a headache .. djf]


        Java uses an unusual approach to security for an active system.
The TCL and Telescript approaches employ dual execution engines.  One runs
the untrusted code that has arrived and the other runs trusted code.  When
the untrusted code wants to do something potentially dangerous it makes a
call to the interface that goes to the trusted code which then evaluates
the request.  The core of this approach is to cripple the language and
system constructs available for direct execution by the untrusted code.


        Astonishingly, Java basically uses a prevention-by-inspection
scheme.  The language begins with proper crippling but, as I understand the
description, the decision to permit execution of potentially dangerous code
is really done at compile time, without dynamic evaluation!


        Besides that, security-related code simply takes a long time to
shake out thoroughly.  Those historically involved with active systems have
been quite clear that the potential danger is quite high and that long
shakeout is necessary.  Perhaps the real issue, here, is putting it into
wide deployment so quickly after Java has been developed.


d/


--------------------
Dave Crocker                                                +1 408 246 8253
Brandenburg Consulting                                fax:  +1 408 249 6205
675 Spruce Dr.                                     dcrocker () brandenburg com
Sunnyvale, CA  94086 USA                 http://users.aimnet.com/~dcrocker/