Communications - November 2011

simple reason is that exceptions can be thrown, causing the execution thread to detour (and may never return). One remedy is to use clauses such as Try/ Finally to force a return. In more extreme cases—for example, when the actual physical machine runs out of memory—the behavior of the Java run-time system is undefined and certainly nowhere near being failsafe. These situations are further complicated by the fact that many key JVM functionalities, including some for security, are written in Java, so problems in one part of the system could easily impact the correctness of another part of the system. For all these design challenges and alternatives, please refer to the Java security book2 and latest Java documentation.

The remainder of this article addresses the challenges that were entirely unexpected for someone whose previous work experience was confined to the world of academia. Scientists and engineers are trained to tackle technical problems, but real-world projects—especially one with industry-wide impact such as Java—are equally social and political. In roughly 30 months of working on JDK, I attended around 1,000 meetings and took 300- plus pages of notes. One can easily forget the war-zone atmosphere back then, especially the Friday fire drills. Too often, (outside) security researchers would inform us of newly discovered security holes on Friday and give us until Monday at noon to figure out a patch and response, when they would inform The New York Times, Wall Street Journal, and other media. Sometimes leaks to journalists occurred right after we rolled out patches to Java licensees (including IBM, Microsoft, Netscape, and many others), and we could only guess which of them had the motivation to publicize the security holes before patches were put in place.

Then there was a whole assortment of other equally time- and energy-consuming distractions, such as U.S. export control regulations on basic cryptography (since relaxed), patents on RSA and public-key technologies (since expired), and issues such as code obfuscation, Java for e-commerce and smart cards, and JavaOS.

To make sure we were on the right
path, we invited a small number of
academic and industry experts (in-
cluding Jerome Saltzer of MIT and Mi-
chael Schroeder from DEC Systems Re-
search Center, authors of the original
principle of least privilege paper) and
convened a formal Java Security Advi-
sory Council, which provided regular
reviews and valuable feedback as the
rearchitecting progressed. We also re-
ceived great advice from many sources,
mainly academic researchers and in-
dustry partners—not all of which was
solicited or friendly. A few strong-head-
ed researchers wanted their alternative
designs incorporated into the Java plat-
form and threw various threats at us.

acknowledgments

I’d like to thank Jeannette Wing of Carnegie Mellon University, Jeremy Epstein and Peter Neumann of SRI International, and Ross Anderson and Robert Watson at the University of Cambridge for inviting me to give those retrospective talks on Java security. I am grateful to Robert Watson and Jim Maurer at ACM for encouraging me to write up the Cambridge talk for Communications, and to the thoughtful anonymous reviewers. I am, of course, deeply in debt to all the people who have cared for, helped with, and supported the Java security project.

Related articles on queue.acm.org

An Open Web Services Architecture

Stan Kleijnen, Srikanth Raju

http://queue.acm.org/detail.cfm?id=637961

how OSGi Changed My Life

Peter Kriens

http://queue.acm.org/detail.cfm?id=1348594

Untangling Enterprise Java

Chris Richardson

http://queue.acm.org/detail.cfm?id=1142045

References

1. gong, l. Java security: present and near future. IEEE Micro (may 1997), 14–19.

2. gong, l., ellison, g. and dageforde, m. Inside Java

2 Platform Security: Architecture, API Design and Implementation, second ed. addison-wesley, reading, Pa, 2003.

3. saltzer, J. h. and schroeder, m.d. the protection of information in computer systems. Commun. ACM 17, 7 (July 1974).

4. sirer, e. and bershad, b. testing Java Virtual machines. In Proceedings of the International Conference on Software Testing and Review (nov. 1999).

5. schneider, F.b. enforceable security policies. ACM Trans. Information and System Security (Feb. 2000), 30–50.

Li Gong is chairman and Ceo of mozilla online ltd.,
the beijing-based mozilla subsidiary. he was formerly
a distinguished engineer and the chief Java security
architect at the Javasoft division of sun microsystems.
two of his patents on Java security are among the seven
that were the focus of a lawsuit between oracle and
google over android in 2010.