Sun to put Java security upgrade to the test

Sun Microsystems is seeking to revamp the way in which security is executed in Java and wants developers to try to break the new paradigm to gauge its effectiveness.

An initiative called Crack the Verifier! invites developers to participate in testing the technology, which is planned for inclusion in Java Platform, Standard Edition (SE) 6 next year. Subsequently, it will be included in the enterprise edition of Java.

"We are updating the core security model and we're inviting the developer community to attack the new model," vice-president and fellow in the Java platform team at Sun, Graham Hamilton, said.

A new Java verifier, called a type-checking verifier, will replace the existing verifier utilised in the sandbox security model. The newer implementation is substantially faster, smaller and offers a significant performance advantage, the company said. The current verifier has been in use for 10 years.

"We have a new technology that is substantially faster and smaller, but we don't have much experience with it," Hamilton said. "We're replacing the most security-critical code in the Java system."

The verifier checks data access routes to ensure application safety and prevent entrusted code from infiltrating before a Java application is run by a Java Virtual Machine, Sun said. "With Java, you can download an untrusted applet, run it in the browser, and still feel safe," because of the sandbox model, Hamilton said.

Featuring a new algorithm, the upgraded verifier is based on a project in the research community. It is accessible to developers via the Sun Java Research License.

"It's one thing to look at the source code and find bugs and fix bugs and create new implementations, but this is a different way for the community to get involved so they can look at the code and actually contribute to the overall security of the Java ecosystem by working on this problem," community marketing manager for Java SE marketing at Sun, Rich Sands, said.

If anyone is able to crack the new verifier, that person will be brought onstage at the JavaOne conference in San Francisco next May.

"If we're lucky, we won't have a winner," Hamilton said.

The security upgrade is subject to approval by the Java community at large via the Java Community Process. It is included as part of Java Specification Request 202, which entered a public comment phase on October 28.

More about: Paradigm, Sandbox Security, Sun Microsystems, VIA

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/19/avg-anti-virus-free-edition/

AVG Anti-Virus Free Edition

Note: This review covers version 8.5 of the software. This software is now in version 9.0. Antivirus program AVG 8.5 Free offers solid features and ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia