vices, but also specific enough to enable
programmers to build browser-centric
applications. I will return to these topics later.
Guess Who’s coming to Dinner
IllustratIon by matthew CooPer
The design aspiration is to ensure that
Java code is executed as intended without undesirable side effects. This goal
has three components. The first is to
ensure that only valid Java code is accepted; this is the topic of the current
section. The second is to ensure that
intended behavior occurs as designed;
this is usually taken care of via testing
and is well understood, and therefore
is not dealt with further here. The third
is to prevent bad unintended behavior, such as access to critical data that
should not have been allowed; this is
dealt with later in the section on the
principle of least privilege.
Yet another often-implicit require-
ment is that all the checks and bal-
ances must be done reasonably fast—
meaning the system has performance
characteristics comparable to that of a
system with no security mechanism at
all. The threat model here is focused
primarily on untrusted code that might
engage in malicious actions. The pro-
tection mechanism aims to stop those
malicious behaviors; it also helps re-
duce risks of benign coding mistakes,
although it cannot expect to protect
against all faulty programming prac-
tices, such as not validating queries that
might lead to SQL injection attacks.
