From: “Perry E. Metzger” <perry@piermont.com>
To: cmcmanis@scndprsn.eng.sun.com (Chuck McManis)
Message Hash: 77e8fedb3dc9245d96e959dd4257e775208a217e03a807de3eb9e56c24295d33
Message ID: <199510092322.TAA24567@jekyll.piermont.com>
Reply To: <9510091642.AA28211@pepper.Eng.Sun.COM>
UTC Datetime: 1995-10-09 23:22:31 UTC
Raw Date: Mon, 9 Oct 95 16:22:31 PDT
From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 9 Oct 95 16:22:31 PDT
To: cmcmanis@scndprsn.eng.sun.com (Chuck McManis)
Subject: Re: java security concerns
In-Reply-To: <9510091642.AA28211@pepper.Eng.Sun.COM>
Message-ID: <199510092322.TAA24567@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain
Chuck McManis writes:
> Perry pointed out the standard set of concerns that anyone should have with
> Java. About the only thing I'd care to dispute at the moment is that Java
> is a "large complicated" application. It is in fact less than 20K lines of
> C code.
Sendmail is about 29K lines of C code -- not significantly larger by
my standards -- and has proven nearly impossible to secure.
> And while it is true that applications of even this size are
> difficult to prove safe, there has been an effort to break that problem
> up into components such that each "layer" can be proven safe and where
> that layer is used that safety carries over.
Sendmail performs a much simpler task and has not proven secure.
Look, I'm not arguing that you and the rest of the Java folks aren't
smart people who have worked very hard. I've got a great deal of
respect for Gosling and the rest of you guys. Unfortunately, you've
taken on an impossible task. Marcus Ranum has noted that you can't
trust a program thats bigger than a couple of pages long, and I
believe he's right. Thats why when there is a program that I
absolutely have to trust I make sure it isn't any longer than
that. (This is frequently a very practical thing, by the way.)
As an aside, have you tried breaking your own program? Spend a week on
it some time. Its usually an educational experience and it breaks you
out of the mindset you have fixed in for a while.
As people have found out, it has proven possible to core dump the Java
interpreter. That means that your implementation has contained flaws
that potentially permitted people to do unplanned things to the state
of the interpreter.
By the way, I suggest that Sun should offer a large money prize for
the first significant security hole found the Java implementation. Its
a tiny price to pay for security.
Perry
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”