[E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalka and ScottSmith of Johns Hopkins)

Marc Stiegler marcs@skyhunter.com
Tue, 2 Jan 2001 12:33:40 -0700


Scott,

I haven't read all this thread properly, but I can give the following piece
a quick response:

> At 10:51 PM Saturday 12/23/00, Scott Smith wrote:
> >I like capabailities a lot myself due to my actor background.  But, I
> >don't (yet) consider them "better" necessarily than the other security
> >models such as Java's.  One thing I would like to do sometime is get a
> >reading of what people here think of the Java 2 model.

The Java 2 model is not bad for a patchwork on something fundamentally
broken. But I believe it is not adequate for even simple purposes. As a
tiny, off-the-cuff example, the Security Manager treats the system clipboard
as a fine-grain authority, which is totally useless: I have to have
tremendous trust in an application to allow it such power that it can sit
there banging continuously on my clipboard, reading every confidential word
I copy/paste between other documents, replacing those words with something
else that may completing twist my meaning but so similar I might miss the
change in a cursory review of the results of my paste operation. One could
only consider the ability to turn the clipboard on/off a security solution
if one is coming from a world hopelessly devoid of any security at
all...which is of course the case for Windows users.

Let me give you a really important example of something I will have working
with E and caplets in the next couple of months. I believe this example is
not possible with the Java 2 security model...unless I have misunderstood
the Security Manager's behavior...which is quite possible, please let me
know if I'm confused, and the Security Manager can really handle the
following case:

Browse the Web, find a text-editing applet/caplet with good reviews (or a
text-editing app written by a malicious cracker, hey, the editor could fall
in both these categories at the same time :-). Load the app on your local
machine, specify the local confidential file you want to edit (location and
name of the file to be specified in real time, with a file dialog or drag
drop or some such thing), edit the file and save it to the same place. At no
time be at risk of having the foreign-born text editor compromise the files
in your operating system, at no time be at risk of having the data in this
confidential file--or in any other confidential file--leaked from your
machine.

Until we have systems that allow this ludcrously simple security problem to
be solved, we can never have serious security. Yet I believe that Java 2
still has at least 2 fundamental flaws for this scenario:

1) Java applets get a connection to the server-of-origin by default, meaning
your confidential data is free for the asking to the people who posted the
editor on the web;

2) The Security Manager has no way of interacting in realtime with either
the file dialog boxes, or the drag/drop system, or any other
file-designation tool, to allow it to work cleanly with the user to grant
read/write authority to a single file of the user's choosing but no others.

And then there are the problems with window forgery completely unconsidered
with the Java 2 Security Model, which I will also have solved in a couple of
months for E caplets.

Lastly, I do hope everyone understands that the ability to "sign" applets
and applications has nothing to do with security. Signing apps is what
marketing people propose when technical people explain that real security is
not possible; it allows the tool developer to blame the victim when a signed
app engages in malicious action (hey, the victim authorized the app, didn't
he? It's his own fault).

Hopefully this constitutes enough examples of what is wrong with Java 2 so
you can stop treating it like a serious undertaking :-)

Though I do not discuss Java 2 directly in the book E in a Walnut, you might
want to read the chapter on Secure Distributed Computing for a discussion of
interesting security issues, each issue making available a Question For The
Reader, "can the Java 2 security model address this?" Find the book draft at

http://www.skyhunter.com/marc.html

In answering questions of the form, "can the Java 2 security model address
this?", also remember that a complicated system cannot be a secure system.
There are some problems which Java 2 can nominally solve, but only by
introducing sufficient additional machinery and mechanism that you have to
ask, "did I violate the requirement for simplicity?"

--marcs