Java prescience?

In the mid-1990s, one of my stump speeches was about that newfangled language, Java. In these speeches, and in a related Scientific American article (November 1995, p 34, right near a photo of Sandra Bullock), I called Java a "virus implementation language".

A teacher of a graduate-level course complimented me on my foresight, and wondered about the extent of my prescience. Here's my answer:

The gist of my concerns was not the Java language as such. Nor was it the theorem provers for generating the right code. The last bit is more complicated than I like in security, but I was willing to stipulate that perhaps it all worked well enough.

I was concerned about the Java sandbox. In principle, it could be fine, but there were already strong indications that people were building unsafe environments. A key example were native methods, hunks of software outside the Java plan that gave direct access to the underlying machine, mostly for performance reasons. These broke the Java model, even if the prover stipulation was accepted.

I've also had a long-time aversion to traveling software: here, execute this please. Traveling programs are dangerous. The container must be bulletproof. The software must not be allowed to multiply.

The latter concern derived from early events in portable programs. DEC had PROBE.COM, a worm that took down the corporate DECnet for two days. Careful programming of the Morris worm still had a bug that caused high-speed exponential growth. (It was built to spread slowly.) General Magic commercialized a mail system based on portable programs, I suspect in part to ensure that return-receipt features were enforced. Their attempts required the creation of "teleclicks", sort of an execution limit for each program, similar in spirit to the TTL field in IP packets.

So the Java engine created a new space where new software creatures could live and execute. My concerns were (and are) wider, with any interpreted language suspect of having additional holes and weaknesses.

I still think a bulletproof container is possible, and there are ongoing attempts to create these, from Chrome to formally proven execution environments. (We used to call these "operating systems"; now they tend to be called browsers!)

I certainly had not envisioned return-oriented programming and the discovery and use of gadgets. Back in the mid-90s, I think I believed that execute-only memory was a useful solution. These attacks are a fantastic hack, and a major pain in the neck.

I am not sure that I view Java as "the single most significant avenue of compromise", though the recent problems support your thesis. Other contenders are - executable attachments (why should anything grandma clicks on be risky?) - phishing - Javascript vulnerabilities - PHP is a leading weakness in Unix/Linux servers

Finally, I think you may be giving me a bit too much credit. Practically every new technology on the Internet since its creation has been the source of security problems. One could grumble "bah, it's broken!" for just about anything out there, and the cynicism would be born out.