Check out the new USENIX Web site. next up previous
Next: Legal Concerns Up: The Key to Pandora's Previous: Debugging Transformed Code



A natural reaction when presented with JOIE is to worry that it will break the security guarantees made by Java, e.g., the promise that imported code cannot gain unauthorized access to resources or memory. With respect to security, JOIE transformers are no more powerful than any imported code. Put another way, code produced by JOIE is as safe as code produced by an untrusted compiler. However, it is important to develop a rigorous understanding of the effect of transformers on security. For example, while class authors choose their compilers, they do not necessarily choose their transformers; a transformed digitally signed applet may not be as trustworthy as the original.

Java security is supported by two main pillars: the verifier and the SecurityManager. The Java verifier guarantees, among other things, that code is type-safe, and particularly that pointers cannot be created or manipulated. This prevents a malicious or buggy program from walking through memory and reading or writing where it normally would not have access.

The SecurityManager is a user-extensible class that is asked by library code at execution time whether specific classes have permission to access specific resources. For example, a program loaded over the Internet might not be permitted to read from the filesystem, but it could spawn a new thread.

Since transformations are applied before the code is verified, transformed code must still comply with the same type-safety restrictions as non-transformed code. The SecurityManager has the same ability to restrict transformed code's access to system resources as before.

There are also important security policy issues. For example, is it safe for classes to instantiate and register new transformations during the execution of the program? Can transformers be loaded and applied from over the network safely? Currently, JOIE's default policy is to disable registration of transformers as soon the first class is loaded, but this can be overridden by the user. There is also the question of how to determine the access permissions of a transformed class: can classes ever gain or lose permissions due to being transformed?

next up previous
Next: Legal Concerns Up: The Key to Pandora's Previous: Debugging Transformed Code

Geoff Alex Cohen
Tue Apr 28 14:31:49 EDT 1998