1995-10-11 - Re: java security concerns

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: Ray Cromwell <rjc@clark.net>
Message Hash: 5de36e4895df2206e3bfbd38a781e4341ae6ff54bf0f26f29b204f65e37fdf87
Message ID: <199510111318.JAA14723@jekyll.piermont.com>
Reply To: <199510110550.BAA02068@clark.net>
UTC Datetime: 1995-10-11 13:19:04 UTC
Raw Date: Wed, 11 Oct 95 06:19:04 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 11 Oct 95 06:19:04 PDT
To: Ray Cromwell <rjc@clark.net>
Subject: Re: java security concerns
In-Reply-To: <199510110550.BAA02068@clark.net>
Message-ID: <199510111318.JAA14723@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Ray Cromwell writes:
>    I agree, however I would point out that not all postscript interpreters
> are emasculated (especially those on unix systems like IRIX, they contain
> all kinds of calls to fork(), read()/open(), etc).

Many postscript interpreters are a serious security threat. However, I
found it fairly easy to chop enough of the code out for the one I run
that I feel safe with it -- the exercise wasn't that hard.

> Nothing in the Java spec tells you that you must call fork() in a
> Java interpreter implementation. In fact, Java has nothing to do
> with the GUI calls, the network calls, etc. You can support as much
> or as little system I/O in a Java implementation as you want.

Yes, but in practice, to support the given applets that Netscape will
be browsing you have to open the kimono a bit too much overall. With
sufficient emasculation, I believe Java could be made safe, but then
it wouldn't be the Java that Sun and Netscape are pushing any more.

Perry





Thread