simple reason is that exceptions can be
thrown, causing the execution thread
to detour (and may never return). One
remedy is to use clauses such as Try/
Finally to force a return. In more extreme cases—for example, when the
actual physical machine runs out of
memory—the behavior of the Java run-time system is undefined and certainly
nowhere near being failsafe. These situations are further complicated by the
fact that many key JVM functionalities,
including some for security, are written
in Java, so problems in one part of the
system could easily impact the correctness of another part of the system. For
all these design challenges and alternatives, please refer to the Java security
book2 and latest Java documentation.
The remainder of this article addresses the challenges that were entirely unexpected for someone whose
previous work experience was confined
to the world of academia. Scientists
and engineers are trained to tackle
technical problems, but real-world
projects—especially one with industry-wide impact such as Java—are equally
social and political. In roughly 30
months of working on JDK, I attended
around 1,000 meetings and took 300-
plus pages of notes. One can easily
forget the war-zone atmosphere back
then, especially the Friday fire drills.
Too often, (outside) security researchers would inform us of newly discovered security holes on Friday and give
us until Monday at noon to figure out a
patch and response, when they would
inform The New York Times, Wall Street
Journal, and other media. Sometimes
leaks to journalists occurred right after
we rolled out patches to Java licensees
(including IBM, Microsoft, Netscape,
and many others), and we could only
guess which of them had the motivation to publicize the security holes before patches were put in place.
Then there was a whole assortment
of other equally time- and energy-consuming distractions, such as U.S.
export control regulations on basic
cryptography (since relaxed), patents
on RSA and public-key technologies
(since expired), and issues such as
code obfuscation, Java for e-commerce
and smart cards, and JavaOS.
To make sure we were on the right
path, we invited a small number of
academic and industry experts (in-
cluding Jerome Saltzer of MIT and Mi-
chael Schroeder from DEC Systems Re-
search Center, authors of the original
principle of least privilege paper) and
convened a formal Java Security Advi-
sory Council, which provided regular
reviews and valuable feedback as the
rearchitecting progressed. We also re-
ceived great advice from many sources,
mainly academic researchers and in-
dustry partners—not all of which was
solicited or friendly. A few strong-head-
ed researchers wanted their alternative
designs incorporated into the Java plat-
form and threw various threats at us.
acknowledgments
I’d like to thank Jeannette Wing of
Carnegie Mellon University, Jeremy
Epstein and Peter Neumann of SRI
International, and Ross Anderson
and Robert Watson at the University
of Cambridge for inviting me to give
those retrospective talks on Java security. I am grateful to Robert Watson and
Jim Maurer at ACM for encouraging
me to write up the Cambridge talk for
Communications, and to the thoughtful
anonymous reviewers. I am, of course,
deeply in debt to all the people who
have cared for, helped with, and supported the Java security project.
Related articles
on queue.acm.org
An Open Web Services Architecture
Stan Kleijnen, Srikanth Raju
http://queue.acm.org/detail.cfm?id=637961
how OSGi Changed My Life
Peter Kriens
http://queue.acm.org/detail.cfm?id=1348594
Untangling Enterprise Java
Chris Richardson
http://queue.acm.org/detail.cfm?id=1142045
References
1. gong, l. Java security: present and near future. IEEE
Micro (may 1997), 14–19.
2. gong, l., ellison, g. and dageforde, m. Inside Java
2 Platform Security: Architecture, API Design and
Implementation, second ed. addison-wesley, reading,
Pa, 2003.
3. saltzer, J. h. and schroeder, m.d. the protection of
information in computer systems. Commun. ACM 17, 7
(July 1974).
4. sirer, e. and bershad, b. testing Java Virtual machines.
In Proceedings of the International Conference on
Software Testing and Review (nov. 1999).
5. schneider, F.b. enforceable security policies. ACM
Trans. Information and System Security (Feb. 2000),
30–50.
Li Gong is chairman and Ceo of mozilla online ltd.,
the beijing-based mozilla subsidiary. he was formerly
a distinguished engineer and the chief Java security
architect at the Javasoft division of sun microsystems.
two of his patents on Java security are among the seven
that were the focus of a lawsuit between oracle and
google over android in 2010.