Sun Microsystems is inviting its software developer community to try to find vulnerabilities in a security technology that it plans to integrate into its upcoming Java Platform Standard Edition 6 software, scheduled for release next summer.
The company on Monday launched an initiative called "Crack the Verifier," under which Java developers and Sun's own engineers will jointly test Sun's verifier technology, which is the core security enforcement component of its Java SE software. The goal is to try and find -- and fix -- any holes that might exist in the Java Verifier before Java SE 6 ships, said Rich Sands, community marketing manager for Java SE at Sun.
"With Java SE 6, we are replacing the old verifier technology, which has been in place for the last 10 years, with a new implementation that runs much faster," Sands said. "We are really hoping that the community will take a good look at this technology. As much as we are confident that we have a strong implementation, we do want the community to take another look."
According to Sun, the new Java verifier technology checks data-access routes to ensure application safety and to prevent untrusted code from infiltrating before a Java application is run by the Java Virtual Machine. The newer implementation of the verifier technology is faster and smaller than the old verifier, but is based on an entirely new verification approach.
"The classfile verifier is the very heart of the whole Java sandbox model, so replacing both the implementation and the basic verification model is a really big deal," said Graham Hamilton, vice president and a fellow in Sun's Java platform team in a blog posted on Java.net. "The new verifier is faster and smaller than the classic verifier, but at the same time, it doesn't have the 10 years of reassuring shakedown history that we have with the classic verifier."
With Sun allowing developers to take a crack at the technology, its Java community for the first time will have the opportunity to contribute to the security of a core Java component in a major way, Sands said.
Java developers can download the source code for the new verifier from Sun's Project Mustang source download site and have until Jan 31 to test the software, Sands said.