From: fc@all.net (Dr. Frederick B. Cohen)
Date: Tue, 17 Oct 95 09:15:06 PDT
To: jamesd@echeque.com (James A. Donald)
Subject: Re: java flaw
In-Reply-To: <199510171504.IAA17210@blob.best.net>
Message-ID: <9510171612.AA25185@all.net>
MIME-Version: 1.0
Content-Type: text


> 
> At 06:59 AM 10/17/95 UTC, jerry the golden retriever wrote:
> > A security feature in Java scans for viruses before activating the
> > applet.
> 
> I hope that this is false.
> 
> Even if one had genuine artificial intelligence, it would be impossible
> to detect all viruses, only particular viruses and classes of virus.
> 
> If Java is secure, virus scanning should be unnecessary, indeed 
> impossible, because there could be no code configuration capable
> of acting as a virus.
> 
> If virus scanning occurs, then it is possible to write a virus in Java,
> then Java is inherently insecure.

To be more precise, if there is programming, sharing, and transitive
information flow, viruses can reproduce and spread (as proven
mathematically in the mid-1980s).  Sice Java offers sharing of
programs and (for not at least) transitive information flow, viruses
are possible.

-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236