IcedTeaWeb Roadmap
Mattias Eliasson
mattis.eliasson at medsa.se
Sun Apr 21 09:47:23 UTC 2019
I've had the long standing idea of using ASM to create a new Java sandbox. The idea is to verify and patch code before it runs. This idea is based on the design of NaCl. It would be totally independent on JVM security mechanisms and this seems like a case where it would be useful.
Potentially it can do a lot more like easily extend secure API calls way beyond the current Applet standard as well as JVM virtualization. It would be cool if a bunch of applets and Java applications could run on a single JVM securely isolated from each other. For example this could lead to the implementation of zero copy IPC as memory isolation would be implemented by verifying that the bytecode doesn't access objects outside of it's virtual virtual machine IPC could just be an exception to that.
As for AWT the solution could be to write an abstraction layer that includes security and redirect AWT calls to it. Another option could be to write a secure replacement for AWT that makes better use of modern hardware acceleration and patch bytecode to use the new library. I know that this is sort of the realm of JavaFX but it's neither secure, a replacement for AWT/Swing nor even very good at using modern GPU:s.
On April 19, 2019 11:16:58 PM GMT+02:00, "Laurent Bourgès" <bourges.laurent at gmail.com> wrote:
>Phil,
>
>I found the mail I sent in february related to AWTSecurityManager
>removal:
>https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2019-February/041034.html
>
>
>Le ven. 19 avr. 2019 à 20:28, Phil Race <philip.race at oracle.com> a
>écrit :
>
>> I have no idea what those failures might be, as AppContext is JDK
>internal,
>> but there is a fix under review to continue towards complete removal
>of
>> AppContext
>>
>https://mail.openjdk.java.net/pipermail/awt-dev/2019-April/015143.html
>> If this is a legitimate problem for ITW you should chime in there.
>>
>
>I got the notification via awt-dev list, but did not have a look to
>webrev
>yet. However if AppContext is going to be removed soon, I suspect it
>will
>make ITW into troubles.
>
>>
>Maybe I should chime but Jiri, or any other official maintainer should
>as
>it would be more appropriate.
>
>AFAIK ITW uses several AppContexts and ITW helped to fix a longstanding
>issue about AWT SequencedEvent...
>
>Finally more ITW members should listen about JDK internal changes and
>sometimes be involved in such bug reviews.
>
>Thanks Phil,
>Laurent
>
>
>> On 4/19/19 6:03 AM, Laurent Bourgès wrote:
>> > Hi,
>> >
>> > Thank you for information and your efforts, it is very promising in
>> > the short term.
>> >
>> > I am looking forward testing AdoptOpenJDK builds providing
>IcedTeaWeb
>> > to end users (win, mac, linux).
>> >
>> > FYI I tested ITW 1.8 with OpenJDK13 2 month ago and it fails due to
>> > recent changes in AWT (security & app context refactoring).
>> >
>> > I wonder if such OpenJDK refactorings will make it harder or
>> > impossible to maintain JavaWebStart outside of the JDK in the
>future.
>> > It would help to use continuous integration against latest OpenJDK
>> > builds to detect such incompatibilities.
>> >
>> > Cheers,
>> > Laurent
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20190421/6f65493c/attachment.html>
More information about the distro-pkg-dev
mailing list