[4763] in WWW Security List Archive
Real world vs. the lab (was Re: Latest Java hole is Netscape/Sun only)
daemon@ATHENA.MIT.EDU (Jay Heiser)
Tue Mar 11 13:18:42 1997
Date: Tue, 11 Mar 1997 11:29:38 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M. Hallam-Baker wrote:
> I was present when we did a security review of Java here at MIT
> about a year ago. We had two engineers down from Sun to talk
>.......
> On the whole there were very few people present that had much
> confidence in the Java sandbox. The difficulty of implementation had
> already been made clear by a number of security failures and the
In practical terms, I'm not sure that its fair to characterize what was
done in the lab as a 'security failure'. What commercial software could
withstand this level of scrutiny? I'm going to suggest that Java has
received so much attention from CompSci students because it is a
challenge. While this is improving the breed, which is great, it doesn't
mean that production systems are failing because of Java bugs.
Viruses are rampant, disgruntled employees steal data and accidently
file losses are common. These are security failures of real systems
doing real work being used by real people. What would happen if a group
of university rocket scientists put their heads together and made some
spiffy new virus?
This would be typical of the real security failures happening daily, but
would it make the news?
> The second major problem is that there are few examples of applying
> formal methods to large or even medium sized projects. I'm not sure that
> the meta-synthesis approach I developed at ZEUS* could be applied in
> this instance. At the very least developing a formal treatment of resource
> access would be very difficult.
> It is possible that some compromise between formal and informal proofs
> could provide a system in which a high degree of confidence could be
> placed. This is a considerably harder problem than the Who issue.
As fashionable as it sometimes is to characterize commercial software
vendors as being callous and negligent, I've been there and I can tell
you it isn't necessarily a reliable way to support your family.
Software vendors don't get tenure. Software vendors make products that
they think people will buy.
Can you forsee some commercially practical way to create better
software? What would have happened if Sun had taken another 6-12 months
working on Java security? Would it have resulted in a product that
generated significantly more demand? Would it still have allowed Sun to
be at the forefront of one of the hottest areas in computing today?
We'd all like better software, but I'm not sure that its practical
today. (I buy into the 'all software has bugs' argument).
The market is going to make the decisions on what technology is popular
and what dies on the virtual vine. The mass market is usually not
motivated by strong concerns about either security or software
development rigor. I'm not going to place a value judgement on mass
behavior, but accomodating it is how most people make their living.
When a group of academics find an obscure hole in Java and generate a
lot of media attention, they are pandering to mass market behavior just
like the software vendors who make the sloppy stuff in the first place.
I don't see any way to stop the momentum behind the demand for
executable content. The challenge is to work with the system to improve
it.
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
