Re: Security Manager Criticism

Li Gong (gong@games.eng.sun.com)
Thu, 11 Dec 1997 11:05:14 -0800

Date: Thu, 11 Dec 1997 11:05:14 -0800
Message-Id: <199712111905.LAA19267@games.eng.sun.com>
From: Li Gong <gong@games.eng.sun.com>
To: James Sangroniz <James_Sangroniz@hp-boise-om8.om.hp.com>
Subject: Re: Security Manager Criticism
In-Reply-To: James Sangroniz's mail of Thu, 11 December, 1997

This sort of argument sounds good in the abstract but should be viewed
within a wider context.

James Sangroniz writes:
> D.Dean et al in "Java Security: From HotJava to Netscape and Beyond"
> http://www.cs.princeton.edu/sip/pub/secure96.html, contend that
> as a reference monitor the Java Security Manager fails on all three
> fronts.
> 1. It is not always invoke - relies on the implementor of the VM to call
> the SM.

Well, "someone" has to invoke a security check somewhere, right? Even
if it is "automatic", someone wrote a piece of code to do it. In our
case, who implements JVM and the APIs writes this piece of code. And
if you use our version, you do not have to write it. So what is wrong
with this? Who do you prefer to write this piece of code?

> 2. Is not tamper proof

What is tamper proof these days? The PC on which you run JVM is not
tamper proof, DOS/Windows95/NT are not tamper proof. So what does it
do to make JVM tamper proof?

> 3. Is not verifiable - It's written in Java and Java has no formal
> semantics.

What other language you prefer? C? C has a formal semantics? What
is verifiable these days? DOS is verifiable? If not, it is not much
help if anything runs on top it is verifiable. And how to verify
something like a large piece of code? No modern technology in the
formal verification world can handle a piece of large code.

You may want to ask the authors to tell you, and us, how they propose
that we go about these issues. Cheers.

Li

--
Li Gong, PhD
Java Security Architect and Senior Engineering Manager
JavaSoft, Sun Microsystems, Cupertino, California, USA
Email: gong@eng.sun.com
Web: http://java.sun.com/people/gong
Tel: 408-343-1825 and Fax: 408-343-1993