From: Scott Brickner <sjb@universe.digex.net>
Date: Tue, 17 Oct 95 17:30:19 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: java flaw
In-Reply-To: <9510171612.AA25185@all.net>
Message-ID: <199510180030.UAA16655@universe.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


Dr. Frederick B. Cohen writes:
>> 
>> At 06:59 AM 10/17/95 UTC, jerry the golden retriever wrote:
>> > A security feature in Java scans for viruses before activating the
>> > applet.
>> 
>> I hope that this is false.

It is.  Java scans the applet to make sure it doesn't try to cheat
the interpreter into violating the object access rules.  The scanning
has nothing to do with viruses.

>> Even if one had genuine artificial intelligence, it would be impossible
>> to detect all viruses, only particular viruses and classes of virus.
>> 
>> If Java is secure, virus scanning should be unnecessary, indeed 
>> impossible, because there could be no code configuration capable
>> of acting as a virus.
>> 
>> If virus scanning occurs, then it is possible to write a virus in Java,
>> then Java is inherently insecure.
>
>To be more precise, if there is programming, sharing, and transitive
>information flow, viruses can reproduce and spread (as proven
>mathematically in the mid-1980s).  Sice Java offers sharing of
>programs and (for not at least) transitive information flow, viruses
>are possible.

Java doesn't try to prevent viruses (viri?).  It doesn't even claim
such.  It *does* make claims that imply limits on what the virus can
do, though.  If the virus does no more than eat up CPU cycles, it's
fairly benign.  Java is supposed to prevent viruses that destroy files
and damage equipment.  This feature isn't restricted to viruses, though.
Even non-replicating programs aren't supposed to be able to hurt anything.

Whether they achieve this goal or not is a matter of some debate.