• United States



by Paul Kerstein

Sun to Put Java Security Upgrade to the Test

Oct 31, 20053 mins
CSO and CISOData and Information Security

Sun Microsystems is seeking to revamp the way in which security isexecuted in Java and wants developers to try to break the new paradigmto gauge its effectiveness.

An initiative called “Crack the Verifier!” invites developers toparticipate in testing the technology, which is planned for inclusionin Java Platform, Standard Edition (SE) 6 next summer. Subsequently, itwill be included in the enterprise edition of Java.

“We’re updating the core security model and we’re inviting thedeveloper community to attack the new model,” said Graham Hamilton,vice president and fellow in the Java platform team at Sun.

A new Java verifier, called a type-checking verifier, will replace theexisting verifier utilized in the sandbox security model. The newerimplementation is substantially faster, smaller, and offers asignificant performance advantage, the company said. The currentverifier has been in use for 10 years.

“We have a new technology that is substantially faster and smaller, butwe don’t have much experience with it,” Hamilton said. “We’re replacingthe most security-critical code in the Java system.”

The verifier checks data access routes to ensure application safety andprevent entrusted code from infiltrating before a Java application isrun by a Java Virtual Machine, Sun said. “With Java, you can downloadan untrusted applet, run it in the browser, and still feel safe,”because of the sandbox model, said Hamilton.

Featuring a new algorithm, the upgraded verifier is based on a projectin the research community. It is accessible to developers via the SunJava Research License.

“It’s one thing to look at the source code and find bugs and fix bugsand create new implementations, but this is a different way for thecommunity to get involved so they can look at the code and actuallycontribute to the overall security of the Java ecosystem by working onthis problem,” said Rich Sands, community marketing manager for Java SEmarketing at Sun.

If anyone is able to crack the new verifier, that person will bebrought onstage at the JavaOne conference in San Francisco next May.”If we’re lucky, we won’t have a winner,” Hamilton said.

The security upgrade is subject to approval by the Java community atlarge via the Java Community Process. It is included as part of JavaSpecification Request 202, which entered a public comment phase onFriday, Oct. 28.

By Paul Krill – InfoWorld (US online)