harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob <citi...@earthlink.net>
Subject Java Security for Harmony
Date Tue, 10 May 2005 01:49:57 GMT
Harmony sounds like a great and well-needed project.

While it's still in its initial stages, I would like to advocate for 
the importance of the Java 2 Security Model, and that it is implemented 
correctly.  Past free Javas have essentially ignored this aspect of 
Java.  However, the security model is precisely what makes Java more 
than simply a subset of C++ with a nice class library.  It is what 
allows Java to do NEW things that weren't already possible with the old 
tools we had, such as GCC.

Java security enables one to build applications that pass around 
untrusted and semi-trusted code and have complete control over how it 
is going to be run.  This is of growing importance in today's world of 
distributed computing and viruses.  If it is NOT implemented in any 
upcoming free Java systems, then Sun's Java will remain the only viable 
alternative for what could be the most exciting class of Java 

Implementation requires a "security stack", every layer of which must 
be gotten right:
  1. Language specification (public/private, pointer safety, etc)
  2. Bytecode verifier
  3. Correct implementation of classloader semantics (which can be 
  4. Correct implementation of the Java security model (described in Li 
Gong's book)
  5. Correct implementation of fine-grained permissions (which find 
themselves all over the Java library)

Sun's Java has probably gotten these things mostly right, although I've 
never seen a security audit, and "security by obscurity" is never to be 
trusted.  GCJ is fundametnally not appropriate for the implementation 
of Java security, due to its ahead-of-time machine code compilation 
model.  For this reason, I think that a new free JVM should take a 
separate path from GCJ (which has its place) and try to stick to Sun's 
bytecode/JIT model.  On desktop machines, at least, the two seem to run 
with comparable speed.

-- Bob Fischer

View raw message