[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


As long as people are mentioning Java, I just want to make the
prediction, one more time, that at some point someone is going to find
some devistating security holes in HotJava.

In order for HotJava to be completely safe, the Java security model
needs to be perfect (and it is way too complex to prove correct), you
need a perfect implementation of this perfect security model, no code
in the Java implementation outside the security code can adversely
impact the function of the security code, and there has to be no way
that a bug in the code outside the Java implementation can screw with
the internals of the Java implementation in such a way as to get it to
drop its security.

I don't believe that humans can produce something that satisfies all
four criteria given our current state of technology. Java is just too
complex a language for me to believe that it can have been perfectly
specified and implemented.

Enormous risk -- I really mean ENORMOUS risk -- is being taken in
order to add a little convenience in making web applications pretty.
Someday, there is going to be big trouble from this. *BIG* trouble.

You heard it from me first.

You might ask "Perry, what could possibly satisfy your perfectionistic
criteria?" Well, a language that didn't have any I/O or similar
"dangerous" capabilities in it at all, rather than one in which such
capabilities were selectively "restricted", would be one I would feel
much more comfortable trusting. If written in a fairly safe language
where it is hard to pull buffer overflow tricks, the interpreter for
such a language would be very hard to pervert into doing untoward
things. Java isn't like that, though. Its got the full power and glory
of any other language, and the only thing sitting between a HotJava
app and some really nasty viral effect is a paper thin shield -- the
security model. A couple of bits twiddled in the right place and the
shield is gone.

The best things about Java could probably have been achieved without
giving it so much power. Its too late now, though. The bandwagon is
too far along. As a security consultant, I'm of course in a position
to profit from the wreckage, but frankly I don't like that any more
than an aircraft disaster expert wants to see more aircraft accidents.