• United States



by Paul Kerstein

Sun Asks Java Developers to Test Security Technology

Nov 03, 20052 mins
CSO and CISOData and Information Security

Sun Microsystems Inc. is inviting its software developer community totry to find vulnerabilities in a security technology that it plans tointegrate into its upcoming Java Platform Standard Edition 6 software,scheduled for release next summer.

The company on Monday launched an initiative called “Crack theVerifier,” under which Java developers and Sun’s own engineers willjointly test Sun’s verifier technology, which is the core securityenforcement component of its Java SE software. The goal is to try andfind — and fix — any holes that might exist in the Java Verifierbefore Java SE 6 ships, said Rich Sands, community marketing managerfor Java SE at Sun.

“With Java SE 6, we are replacing the old verifier technology, whichhas been in place for the last 10 years, with a new implementation thatruns much faster,” Sands said. “We are really hoping that the communitywill take a good look at this technology. As much as we are confidentthat we have a strong implementation, we do want the community to takeanother look.”

According to Sun, the new Java verifier technology checks data-accessroutes to ensure application safety and to prevent untrusted code frominfiltrating before a Java application is run by the Java VirtualMachine. The newer implementation of the verifier technology is fasterand smaller than the old verifier, but is based on an entirely newverification approach.

“The classfile verifier is the very heart of the whole Java sandboxmodel, so replacing both the implementation and the basic verificationmodel is a really big deal,” said Graham Hamilton, vice president and afellow in Sun’s Java platform team in a blog posted on “Thenew verifier is faster and smaller than the classic verifier, but atthe same time, it doesn’t have the 10 years of reassuring shakedownhistory that we have with the classic verifier.”

With Sun allowing developers to take a crack at the technology, itsJava community for the first time will have the opportunity tocontribute to the security of a core Java component in a major way,Sands said.

Java developers can download the source code for the new verifier fromSun’s Project Mustang source download site and have until Jan 31 totest the software, Sands said.

By Jaikumar Vijayan – Computerworld (US online)