From: Scott Brickner <sjb@universe.digex.net>
To: fc@all.net (Dr. Frederick B. Cohen)
Message Hash: 5c985273bfe90d6123402421f94b4e69a0fe853b581b4b4acf446e45fee23857
Message ID: <199510180030.UAA16655@universe.digex.net>
Reply To: <9510171612.AA25185@all.net>
UTC Datetime: 1995-10-18 00:30:19 UTC
Raw Date: Tue, 17 Oct 95 17:30:19 PDT
From: Scott Brickner <sjb@universe.digex.net>
Date: Tue, 17 Oct 95 17:30:19 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: java flaw
In-Reply-To: <9510171612.AA25185@all.net>
Message-ID: <199510180030.UAA16655@universe.digex.net>
MIME-Version: 1.0
Content-Type: text/plain
Dr. Frederick B. Cohen writes:
>>
>> At 06:59 AM 10/17/95 UTC, jerry the golden retriever wrote:
>> > A security feature in Java scans for viruses before activating the
>> > applet.
>>
>> I hope that this is false.
It is. Java scans the applet to make sure it doesn't try to cheat
the interpreter into violating the object access rules. The scanning
has nothing to do with viruses.
>> Even if one had genuine artificial intelligence, it would be impossible
>> to detect all viruses, only particular viruses and classes of virus.
>>
>> If Java is secure, virus scanning should be unnecessary, indeed
>> impossible, because there could be no code configuration capable
>> of acting as a virus.
>>
>> If virus scanning occurs, then it is possible to write a virus in Java,
>> then Java is inherently insecure.
>
>To be more precise, if there is programming, sharing, and transitive
>information flow, viruses can reproduce and spread (as proven
>mathematically in the mid-1980s). Sice Java offers sharing of
>programs and (for not at least) transitive information flow, viruses
>are possible.
Java doesn't try to prevent viruses (viri?). It doesn't even claim
such. It *does* make claims that imply limits on what the virus can
do, though. If the virus does no more than eat up CPU cycles, it's
fairly benign. Java is supposed to prevent viruses that destroy files
and damage equipment. This feature isn't restricted to viruses, though.
Even non-replicating programs aren't supposed to be able to hurt anything.
Whether they achieve this goal or not is a matter of some debate.
Return to October 1995
Return to “Scott Brickner <sjb@universe.digex.net>”