A Cornell computer scientist has just discovered that the Java computer language, designed to be safe, is not so safe after all, and now he is working to find a solution.
A few months ago Ross Tate, assistant professor of computer science, and Nada Amin, a doctoral assistant in the Programming Methods laboratory at the École polytechnique fédérale de Lausanne, Switzerland, found and reported a security problem in the widely used language. Tate has suggested solutions and is working with a team at Oracle Corp., which oversees Java, on revisions to the language.
“There’s a whole level of unpredictability that nobody knows about,” Tate said, “but hackers are very good at finding these things.”
Java is a “cross-platform” language. Programs written in Java can be run on Macs, PCs and other systems. It is widely used for programs that will be embedded in websites to download and run on the visitor’s computer. With that in mind, it was designed with safeguards to prevent dangerous behavior.
Java enforces security by requiring that all variables have a “type.” A variable labeled “string” must contain text, not a number or anything else. Without types a malicious program might, for example, turn a piece of text into an address in computer memory to bypass Java’s security system and manipulate the host computer.
“What is scary,” Tate said, “is that this bug has been sitting there for 12 years.” In 2004, Java introduced “wildcard” types, including a type “?” that represents anything unknown. Before that, Java had “null” values, indicating the absence of a value. Tate found that you could combine the two features to fabricate impossible and deceptive types.
“It’s like counterfeit money,” he explained. “It looks like money, but can you spend it?” Wildcards helped skilled programmers do useful things, but also made it possible to bypass typing safeguards.
The project at Oracle, Tate said, will be to change the Java language, but not the “Java Virtual Machine” that runs on users’ computers to execute programs. “The challenge is to fix this and not break what other people have done,” he said. Both wildcards and null pointers are widely used features, so the wrong change to those features could break millions of lines of Java code, he said. “Half of my role is to prevent bad ideas. The other half is how to make the good ideas happen.”
“This marks a new level of industry-academic partnership,” said Lillian Lee, professor of computer science, in announcing Tate’s new collaboration.
Tate’s work is supported primarily by the National Science Foundation. He and Amin will present their findings on the subject at the ACM SIGPLAN conference on Systems, Programming, Languages and Applications: Software for Humanity, Oct. 30-Nov. 4 in Amsterdam.