[64] in java-interest
Re: definition of security and safe?
daemon@ATHENA.MIT.EDU (Chuck McManis)
Mon May 8 16:53:21 1995
Date: Mon, 8 May 1995 13:26:06 -0700
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: java-interest@java.Eng.Sun.COM, Brian.G.Beuning@att.com
>I guess my basic question is
>``What are the Java definitions of "security" and "safe"?''
Safe: The property whereby the "host environment" is protected from
damage by code, either malicious or simply broken.
Secure: The property whereby access to "actions" in the host environment
is withheld from code that is untrusted.
Trust: The subjective property of how much access a user is willing to
cede to a program after knowing, with a high level of confidence,
the origin, author, and validity of a piece of code.
Java as a language is "safe" in that it is designed such that legal code
is unable to corrupt, or modify, the runtime in which it executes. This
safety extends to the design of the interpreted form of the language
which is exchanged over untrusted channels. This aspect of the language
guarantees that those features in the runtime that are used to build
security and trust mechanisms are not compromised by loaded code.
HotJava, the browser, is "safe" in that the classes that are used to
implement HotJava are designed to protect the underlying OS from damage
from the external code loaded by the browser. Further, it attempts to
prevent second order damage as well (disclosure of information from
one security domain to another). It is significantly more difficult
to "know" you've covered all of the second order problems, however the
ability to "patch" HotJava by single class replacement provides a
mechanism whereby the window of vulnerability can be closed more rapidly
than it can in other browsers on the market.
Java as a language is "secure" in that it is designed so that all actions
are instantiated as method calls on classes and access to those classes
is strictly controlled by the class loader architecture. The safety
features of the language insure that the class loader is not defeated
and the class loader insures that access to a class (and thus objects
of that class) is not granted to untrusted classes.
HotJava is "secure" in that it is designed to distrust classes that are
loaded from untrusted security domains (eg the Internet). Classes that
are not trusted have limited access to classes, and with those classes
where access is granted, the implementation of the class often places limits
on the methods themselves. For example the ClassLoader provides access
to the "FileInputStream" and "FileOutputStream" classes but those classes
only allow untrusted classes to open files in ~/.hotjava and /tmp/hotjava
and even those accesses are confirmed via a dialog with the user.
The Java language is "trustable" because Java classes can be cryptographically
signed as to their author and origin. The signed class loader and the utility
to sign classes is not part of the current release but will be part of Beta.
The ability to sign classes is possible because J-code (the Java bytecode
format) is identical across all platforms.
The HotJava browser is "trustable" because you can get the source to it and
we (Sun) will be posting a verifiable signature for the binary release.
Again we've not done this at present but plan to for the beta release.
--Chuck McManis
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
