Sun Microsystems is seeking to revamp the way in which security isexecuted in Java and wants developers to try to break the new paradigmto gauge its effectiveness.An initiative called “Crack the Verifier!” invites developers toparticipate in testing the technology, which is planned for inclusionin Java Platform, Standard Edition (SE) 6 next summer. Subsequently, itwill be included in the enterprise edition of Java.“We’re updating the core security model and we’re inviting thedeveloper community to attack the new model,” said Graham Hamilton,vice president and fellow in the Java platform team at Sun.A new Java verifier, called a type-checking verifier, will replace theexisting verifier utilized in the sandbox security model. The newerimplementation is substantially faster, smaller, and offers asignificant performance advantage, the company said. The currentverifier has been in use for 10 years. “We have a new technology that is substantially faster and smaller, butwe don’t have much experience with it,” Hamilton said. “We’re replacingthe most security-critical code in the Java system.”The verifier checks data access routes to ensure application safety andprevent entrusted code from infiltrating before a Java application isrun by a Java Virtual Machine, Sun said. “With Java, you can downloadan untrusted applet, run it in the browser, and still feel safe,”because of the sandbox model, said Hamilton. Featuring a new algorithm, the upgraded verifier is based on a projectin the research community. It is accessible to developers via the SunJava Research License.“It’s one thing to look at the source code and find bugs and fix bugsand create new implementations, but this is a different way for thecommunity to get involved so they can look at the code and actuallycontribute to the overall security of the Java ecosystem by working onthis problem,” said Rich Sands, community marketing manager for Java SEmarketing at Sun.If anyone is able to crack the new verifier, that person will bebrought onstage at the JavaOne conference in San Francisco next May.”If we’re lucky, we won’t have a winner,” Hamilton said.The security upgrade is subject to approval by the Java community atlarge via the Java Community Process. It is included as part of JavaSpecification Request 202, which entered a public comment phase onFriday, Oct. 28.By Paul Krill – InfoWorld (US online) Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe