The distinction between a buggy application, and a malicious application that "asks really nicely" to run as system, is moot. The malicious programmer will purposefully use buggy methods to get the jvm to run at system, exactly because he can then drop shit anywhere he wants. Qed.
Wrong kind of buggy. If you give the installer admin rights, and it installs a program that runs at admin level, that is buggy (perhaps I should have used "improper"?) behavior, but it's neither malicious nor caused by Java. I think we can agree that by granting a program admin rights (either directly or indirectly) it's not obtained improperly. As you said yourself, "This might have been because it needed to be installed as an actual admin, and the system automatically gave it admin privs." Couldn't have said it better myself. The JVM doesn't give Java programs any way to escalate at all without calling C code through JNI or the like, so it's impossible to have malicious Java programs use buggy behavior to escalate. QED. (Of course, malicious Java programs could use some other bug in the JVM to run shellcode or something of that nature, but that's a completely different issue. The target of the attack would be libc, using the JVM as a vector to attack it. In this scenario, though, the program ran at SYSTEM level already, so there were no exploits or buggy behavior in the JVM involved, just an application that required admin rights, probably without needing them as was far too common up until recently, and still is to a degree.)
I want the jvm to have a restriction that says it can NEVER be invoked above a limited super user I define.
I'd say it's possible you might be able to deny the SYSTEM user execute permissions (don't quote me on this, I'm more of a FreeBSD/Linux guy), but again, why should Java be any different in this respect than any other program?
As for the silent invokation, I again refer you to buggy browsers.
Yet again, you're conflating things. The browser plug-in that runs applets is not the same as the JVM. It's part of the JRE, but it's not part of the JVM. The only relation the two of them have is that the browser plug-in uses the JVM to run Java applets in a sandboxed environment. I agree that it should be always prompt (although browser-wide click-to-play is a much cleaner solution IMO), but IIRC it will run signed applets without prompting unless they require special things (FS access may be among them, I don't recall). Personally, I believe the browser plug-in should be opt-in in the first place, but I doubt we'll see that happen.
As for the visualvm listed above, does that come stock? I doubt it does...
It's part of the stock JDK, as it really is a tool made for developers (the JRE isn't targeted at people who want to inspect all of the inner workings of the JVM).
When I checked the task manager, the jvm was running at a higher authority level than my user.
Then either 1) something got buggered with your JVM or 2) the application explicitly elevated itself somehow (a la UAC today). The JVM does not run as SYSTEM unless it is invoked by SYSTEM. Sounds like a buggy application.
The fact that I can't get a list of what is running insde in a painless fashion
Repeat after me: one JVM instance can only run one program. One process = one program. Just like anything else... If you have one java.exe running, you have one Java program running.
and can't give a global restriction on what the jre and jvm can touch
Use the same filesystem permissions that apply to every single other program ever made. Why is Java special? Again, if it's running as SYSTEM, you have a buggy program. Lots of programs required admin on XP, but no one blamed XP, they blamed the buggy programs. Same goes for Java.
The day that Oracle comes out and says "we obey local security
Done.
and have global options you can enforce
What sort of options? Concrete definitions please.
along with a way to see what the VM is running
Addressed above.
as well as an option to forbid silent invokations
I sure as hell don't want my server to require a GUI to run servers written in Java. This is another one of those "why is Java special?" things. Lots of programs run silently. Keep control of your machine and check running processes occasionally, and this won't be a problem. If someone is able to start Java running a malicious program, they could easily just install Java anyway, or do any number of nasty things. JVM instances don't magically spin themselves up; they start when a Java program is started.
I don't feel it is trustworthy to leave a VM running all the time
It's really not a general-purpose VM like Linux, Windows, or $YOUR_OS_HERE on VMware, VirtualBox, Xen, or $YOUR_HYPERVISOR_HERE. It doesn't run an OS, just the one Java program it's given. One JVM instance only runs one program. Hell, the JVM works without any sort of kernel-level support, whereas everything moderately efficient requires kernel-level drivers to work properly. (Vanilla QEMU has no kernel-level drivers, but was so slow that KQEMU was developed, and QEMU was later tied with KVM to make it more efficient.)
Of course, that's not even getting into the fact that it's a very common practice to leave VMs running all the time, especially in datacenters. Many people leave Amazon EC2 instances running, I'd imagine almost everyone with a VPS keeps it running constantly, etc. This still has nothing to do with the JVM, because they are completely different concepts, though.
Also, would you be okay with running Java programs compiled to native code with something like GCJ? It doesn't use the satanic JVM, but that won't really change too much (except possibly give you better performance, depends on how well GCJ optimizes and how well HotSpot optimizes).
I have actually seen java applications access areas they aren't supposed to have access to.
As measured by? Hell, define "area." Are you talking across the network, or locally? If you're across the network, how do you know it was Java and not something else on that box? In either case, how do you know it wasn't malware that slipped in somewhere? This sounds like unsubstantiated paranoia.
That the VM doesn't provide me with good tools to see what really is running inside it...
...and kill naghty processes
Again, I'm pretty sure you're confused about how the JVM works. Each Java program running has a separate instance of the JVM (java or java.exe). If you can't find and kill the process that's out of control, you are doing something horribly, horribly wrong. To summarize, if you don't like Java, fine. (I know I'm not a huge fan of Java on the desktop, and certainly not in browsers...) But you seem to have deeply flawed views on how everything works.
I'm not that concerned with Karma, I post when I think I have something to add
How does the equivalent of "mod parent up" add to the discussion? The parent is at +5, but I doubt people just blindly follow what some random person says it should be modded to.
If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.