July 23, 1997
By PETER WAYNER
Java Bug Patrol Tests
Whether Anything Is Safe
wise friend once told me that in Hollywood, all movie proposals fall into the pattern of "same but different." The sameness means it will sell, while the difference keeps it fresh. So, if I were to propose a blockbuster about how the major media companies like NBC or The New York Times were going to survive and prosper on the Web, I might pitch it as "like Jurassic Park, but with booze, sexy writers, blow dryers and late-night car chases in parking garages."
The logic snake unleashed by Goedel applies here: a logical system is either incomplete or inconsistent.
These techniques may not be perfect for comparing crisp apples, juicy oranges or succulent pomegranates, but it's the best that Hollywood has found. The same problem is confronting the Java world as it begins to confront the reality of whether it can ever guarantee security.
The problem lies in something called the byte code verifier, the part of a Java implementation that checks out an applet downloaded off the Net to detect anything dangerous lurking within. The "byte code" consists of a set of exceedingly simple commands like "load the variable Bob's Salary" or "set Bob's Salary to zero."
Unfortunately, it's virtually impossible to determine whether these byte codes constitute a malicious program. They're very simple and anyone with a 2-year-old can tell you that even simple, seemingly innocuous steps can be combined in disastrous ways.
Kurt Goedel, the creator of what is known as the Goedel incompleteness theorem, exploded the boundaries of logical systems by demonstrating that any logical system must either be incomplete or wrong. He did this by constructing inconsistent statements in logical system. Since programming languages like Java are logical systems, several computer scientists have applied the same basic idea to them. (The notion has also wiggled its way into the edges of popular culture. Thomas Pynchon refers to the notion in Gravity's Rainbow, and Douglas Hofstader was the author of a popular exploration of the topic, Goedel, Escher and Bach.
The logic snake unleashed by Goedel applies here: a logical system is either incomplete or inconsistent. The folks at Sun who developed Java are hoping that Java's logical system isn't "incomplete" and that erasing someone's hard drive isn't in the scope of the system. But there is no automatic way to check each program and guarantee it's veracity. Other computer scientists who followed in Goedel's path extended the work to show this.
The byte code verifier tries the next best thing. It prevents incoming code from accessing the disk drive or memory directly. Any access must be done through Java's built-in mechanisms, which are, presumably, bullet-proof and tested. It also tries to anticipate when several steps can be combined in a nasty way.
Selling bug-free software is now the '90's equivalent of selling the Brooklyn Bridge.
At this moment, there are several different byte code verifiers out there. Both Sun and Microsoft have their own versions, which are incorporated into different pieces of software throughout the Net. They both try to balance the need to look for possibly felonious sequences of byte code with the need to get an applet up and running quickly.
Of course, selling bug-free software is now the '90's equivalent of selling the Brooklyn Bridge. It can't be done, but there are fairly interesting solutions. One of the best is emerging out of the lab of a University of Washington professor, Brian Bershad. He and his students have wired together the byte code verifiers from Netscape, Sun and Microsoft so all will check the same program.
Then they throw millions of randomly generated collections of Java byte code at the verifiers. In almost all cases, the three of them agree: The tested code comes out either safe or potentially malicious. But in a few cases, there are discrepancies: One will say that a sequence is dangerous, while the other turns a blind eye to it. The team examines them and it has found a few that are potentially dangerous enough to worry about. Microsoft, to its credit, has released a new version to plug the gap.
This isn't an elegant or principled way to search for bugs, but it may be the best we have. The system of byte code may be just complicated enough to do interesting things and there may be no logical way to analyze it looking for solutions. This problem is more complicated because the browser companies are also competing to make their verifiers as fast -- and consequently as blithe -- as possible.
Does this mean that Java is doomed? Charles Fitzgerald, a member of the Microsoft Java team, offers very carefully chosen words. "Java is a great programming language, but it may never be as secure as Sun is promising." This may be true. Just as it is impossible to guarantee a hit in Hollywood, it is hard to guarantee that some incoming software is safe and bug free.
Microsoft's competing technology, ActiveX, is even more insecure.
Of course there is a hidden agenda in Fitzgerald's criticism. Java threatens Microsoft's domination because it offers a way for people to get platform independence and flexibility without buying some software from Redmond, Wash. Microsoft's competing technology, ActiveX, is even more insecure. It lets incoming software have free access to both the hard drive and the memory, where it could overwrite anything it chooses. Instead, Microsoft just asks that the developers create a digital signature attesting that their code is OK.
While a signature may help you track down the jerk who trashed your hard drive, it won't guarantee a secure Web. The damage could easily have been the result of a mistake rather than a malicious piece of code. And bad programs with bugs are much more common that are viruses with vendettas.
Java, on the other hand, may never be perfectly secure until a perfect byte code verifier is found, but it can come quite close. At least Sun is trying with the help of folks from the University of Washington.
The world of Java may not be as perfect as it seems. There will never be a magic program that will be able to examine another program and bless it. But at least Java is trying to secure the Net. Time will tell whether Microsoft is the dinosaur in this world and whether it will find new life.
UNDERDEVELOPED is published weekly, on Wednesdays. Click here for a list of links to other columns in the series.
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.
Peter Wayner at firstname.lastname@example.org welcomes your comments and suggestions.
Copyright 1997 The New York Times Company