From: Simon Spero <ses@tipper.oit.unc.edu>
To: “Perry E. Metzger” <perry@piermont.com>
Message Hash: eb86869593f618d28f20c07a10a548ec41be3ccab5baa7fb2adf1519241062a0
Message ID: <Pine.SOL.3.91.951009165759.13562G-100000@chivalry>
Reply To: <199510092305.TAA24544@jekyll.piermont.com>
UTC Datetime: 1995-10-10 00:07:54 UTC
Raw Date: Mon, 9 Oct 95 17:07:54 PDT
From: Simon Spero <ses@tipper.oit.unc.edu>
Date: Mon, 9 Oct 95 17:07:54 PDT
To: "Perry E. Metzger" <perry@piermont.com>
Subject: Re: netscape mail starts java attachments upon get new mail...
In-Reply-To: <199510092305.TAA24544@jekyll.piermont.com>
Message-ID: <Pine.SOL.3.91.951009165759.13562G-100000@chivalry>
MIME-Version: 1.0
Content-Type: text/plain
On Mon, 9 Oct 1995, Perry E. Metzger wrote:
>
> "Josh M. Osborne" writes:
> > As far as I know Java apps can only make network connections to the
> > IP address they were loaded from.
>
> That might be the design, but we know that it is hard to faithfully
> implement very complicated designs.
>
The design of java is supposed to make analysing for security easier than
it might be in other similarly sized systems- whether it does this or not
is something that needs to be checked for carefully.
The three components that need to be analysed are the class loader, the
implementation of the JVM, and the code to check network connections.
Analysing the VM and the class loader should be a simple (hah) matter of
structural induction (possibly a two step process of converting the vm
description into a denotational semantics and analysing that, followed by a
proof that the vm is a faithful implemenation of those semantics.)
the networking code is simple to prove safe if the VM and classloader
can be shown to be safe.
Simon
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”