Re: Mindshare and Java

[Simon Spero <ses@tipper.oit.unc.edu>]

On Thu, 25 Apr 1996, Bill Frantz wrote:

> At 10:47 PM 4/24/96 -0700, Rich Graves wrote:
> >code safely. I'm sorry, I'm just not interested in running untrusted code. 
> >Give me digitally signed code that I can trust, or for which the author 
> >can at least be held accountable, and I'll be happy. 
> 
> I, for one, am interested in running untrusted code.  If I can run
> untrusted code, I can greatly reduce my exposure to Trojan horses and bugs.
>  It bothers me that if I run Microsoft Word, it can trash my MacWrite

Both policies make sense in different circumstances; however,  
refusing to run unsigned code, even though it reeks of FUCKING STATISM is 
easier verify, and harder to circumvent; We're experimenting with both 
approaches in Solid Oak (one classloader that rejects unsigned classes, 
another that works with the security manager to use the signed IDs to 
make policy decisions where necessary. That approach is the more 
flexible, but it remains vulnerable to flaws in the policy manager if it 
is somehow possible to do naughty things without going through the 
security manager. If you require even untrusted code to be signed you at 
least have a target-id to send to blacknet for attitude adjustment.

One thing that could be retroactively added to the vm pretty easily would 
be the ability to add capability requirements to methods, and have the 
class loader automatically generate code to check for those requirements 
before executing the body of the method

Simon

---
They say in  online country             So which side are you on boys
There is no middle way                  Which side are you on
You'll either be a Usenet man           Which side are you on boys
Or a thug for the CDA                   Which side are you on?
  National Union of Computer Operatives; Hackers, local 37   APL-CPIO