Sun to put Java security upgrade to the test

Sun Microsystems is seeking to revamp the way in which security is executed in Java and wants developers to try to break the new paradigm to gauge its effectiveness.

An initiative called “Crack the Verifier!”  invites developers to participate in testing the technology, which is planned for inclusion in Java Platform, Standard Edition (SE) 6 next summer. Subsequently, it will be included in the enterprise edition of Java.

“We’re updating the core security model and we’re inviting the developer community to attack the new model,” said Graham Hamilton, vice president and fellow in the Java platform team at Sun.

A new Java verifier, called a type-checking verifier, will replace the existing verifier utilized in the sandbox security model. The newer implementation is substantially faster, smaller, and offers a significant performance advantage, the company said. The current verifier has been in use for 10years.

“We have a new technology that is substantially faster and smaller, but we don’t have much experience with it,” Hamilton said. “We’re replacing the most security-critical code in the Java system.”

The verifier checks data access routes to ensure application safety and prevent entrusted code from infiltrating before a Java application is run by a Java Virtual Machine, Sun said. “With Java, you can download an untrusted applet, run it in the browser, and still feel safe,” because of the sandbox model, said Hamilton.

Featuring a new algorithm, the upgraded verifier is based on a project in the research community. It is accessible to developers via the Sun Java Research License.

“It’s one thing to look at the source code and find bugs and fix bugs and create new implementations, but this is a different way for the community to get involved so they can look at the code and actually contribute to the overall security of the Java ecosystem by working on this problem,” said Rich Sands, community marketing manager for Java SE marketing at Sun.

If anyone is able to crack the new verifier, that person will be brought onstage at the JavaOne conference in San Francisco next May. “If we’re lucky, we won’t have a winner,” Hamilton said.

The security upgrade is subject to approval by the Java community at large via the Java Community Process. It is included as part of Java Specification Request 202 , which entered a public comment phase on Friday, Oct. 28.