Date: Thu, 24 Jul 1997 11:05:20 -0700
Message-Id: <199707241805.LAA00656@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: missiaen@nc3a.nato.int
Subject: Re: help me convince bureaucrats
In addition to Word macros, postscript files, or any executable format
(JavaScript, ActiveX components ...) are liable to get up to
mischief. I personally am dubious that virus checkers insulate one
against these threats, but it's important that people perform a
risk/benefit analysis. I agree with you that people seem to put on
a special pair of glasses when evaluating Java. I think this is
because it's different and not understood, and also, there has been so
much publicity about Java that people are confused.
A distinction between Java and the other executable models is that
Java does *have* a security model. The intent is to limit execution
of downloaded Java code to a restricted set of activities. This is
what we call running applets in the sandbox. There have been
implementation bugs, most prominently (in the media) those found by
the researchers at Princeton, in which they demonstrated a way to
break out of the sandbox. These bugs were all promptly fixed and
fixes given to Java licensees immediately. This doesn't mean the
sandbox is 100% bug free - I don't believe there is any software that
is 100% bug free - but we are airing the Java model and implementation
very publically. This is another big difference between Java and
other models. People hear more about the Java security model, simply
because we do make the full source implementation freely available to
any researchers who want to look at it. I don't believe that is the
case for any other executable format. Since it's easy to analyze
Java, and since we deliberately try to make it easy for everyone to
analyze Java, there is a lot more analysis done on Java, than there is
on models that perhaps are less safe, but whose design and
implementation are opaque.
We don't have anything specifically that you can show to your sysadmin
about this topic, but you might try looking at these documents
* http://java.sun.com/marketing/collateral/security.html
* SFAQ - the Security FAQ has a listing of all the bugs that
got a lot of coverage in the media, along with a description
of the bug and how/when it was fixed. This gives you a rough
chronology of how the sandbox has fared over the past 18
months. The SFAQ also has a colloquial description (not
a spec!) of what the sandbox is and how it works.
The main Java security page is
There is a hypermail Q&A archive at
http://jserv.javasoft.com/hypermail/java-security-archive/index.html
Marianne