[4749] in WWW Security List Archive
RE: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Mon Mar 10 15:03:48 1997
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
To: "'Thomas Reardon'" <thomasre@microsoft.com>, "'Tazman'" <taz@kensico.com>,
"schemers@stanford.edu" <schemers@stanford.edu>
Cc: "'Bob Denny'" <rdenny@dc3.com>,
"'WWW Security List'"
<WWW-SECURITY@ns2.rutgers.edu>
Date: Mon, 10 Mar 1997 12:57:31 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
>Java is open and platform independent. Java has been tested and review by many
>security expert and researchers.
>Let be clear: Java is platform-independent to some extent (I mean, you
>need similar hardware, 256-color graphics, etc for just about every
>'plaform' JDK 1.1 works on), but IT IS NOT OPEN. It is proprietary Sun
>technology. I am not trying to shift the argument, but I want that on
>the record since we are constantly getting beaten up on what is open vs.
>closed.
I was present when we did a security review of Java here at MIT
about a year ago. We had two engineers down from Sun to talk
about it (one of them used to be in my group here at MIT). Present
were Ron Rivest and Butler Lampson of Microsoft (and adjunct Prof.
at MIT).
On the whole there were very few people present that had much
confidence in the Java sandbox. The difficulty of implementation had
already been made clear by a number of security failures and the
central paradox remained, the sandbox approached stopped an applet
affecting anything that _mattered_ meaning that it could do nothing
that mattered. To do usefull work you had to let the applet outside the
sandbox.
The who+what solution would be preferable. Of these the Who part is
significantly easier than the What. People have been thinking about
the who issue for years and there are companies such as Verisign
who can provide infrastructure under contract. While the actual solution
deployed is not actually "who" but a certification of an identification
process this is a detail that most people don't have to worry about.
To do the What and make it work the only credible approach in my
view is to use formal methods to prove the scurity properties of the
system. A computer language is simply too complex to be considered
without some powerful tool. Mathematics is that tool.
Unfortunately we are far from a formal treatment of that area. What little
work has been performed in the area of formal demonstrations of
security is far from complete.
The second major problem is that there are few examples of applying
formal methods to large or even medium sized projects. I'm not sure that
the meta-synthesis approach I developed at ZEUS* could be applied in
this instance. At the very least developing a formal treatment of resource
access would be very difficult.
It is possible that some compromise between formal and informal proofs
could provide a system in which a high degree of confidence could be
placed. This is a considerably harder problem than the Who issue.
While I dispute Thomas's earlier assertion that "software will always have
bugs" - we can prove the contrary for significant parts of ZEUS, we do not
as yet have a technology which allows us to treat security in a formal
manner.
Phill
* ZEUS Zearch to Elucidate Underlying Symmetry, one of the two
experiments on the HERA proton/electron collider at Hamburg. ZEUS
is the largest embedded computing system in the world with a
data bandwidth of 6Tb/sec. ZEUS and its sister experiment H1
recently announced evidence of a fifth force through proton/positron
events that demonstrated the existence of leptoquarks.
