Forgot your password?
typodupeerror
Java Programming Security

Comparison of Java and .NET security 461

Posted by Zonk
from the one-likes-coffee-the-other-not dept.
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
This discussion has been archived. No new comments can be posted.

Comparison of Java and .NET security

Comments Filter:
  • Except... (Score:4, Funny)

    by Anonymous Coward on Saturday August 27, 2005 @04:54AM (#13414191)
    Except it run on Windows.
    D'OH!
  • by TheShadowHawk (789754) on Saturday August 27, 2005 @04:58AM (#13414205) Homepage

    Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....

    I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(

  • Difference in ages (Score:4, Interesting)

    by Anonymous Coward on Saturday August 27, 2005 @05:00AM (#13414209)
    In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.
    • by Three Headed Man (765841) <dieter_chen@[ ]oo.com ['yah' in gap]> on Saturday August 27, 2005 @05:05AM (#13414219)
      Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?
      • by eCecuguru (910634)
        I agree with you, but also think the anoncow is right. The chart is misleading, indicating that java has oh so many cumulative holes. If we looked at Apache like that, it would be less secure than IIS. Also, was this strictly applets? Or was it all things ever written in Java? That's a lot of variations, platforms, etc, which although the fact that a java app will run differently on my mac versus my windows box is itself potentially unsecure, the fact that it has that capability beats the current funct
        • by boa13 (548222) on Saturday August 27, 2005 @05:31AM (#13414282) Homepage Journal
          That's a lot of variations, platforms, etc,

          Actually, 10 of the 45 vulnerabilities that the authors chose to use in the chart were (or are?) in Microsoft JVM.

          I think including them in the chart is misleading at best.
      • by kbw (524341)
        Performance over time is a measure of success. And so .NET's performance over 9 years would be a fair comparison.

        Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.
  • PDF text (Score:5, Informative)

    by Anonymous Coward on Saturday August 27, 2005 @05:09AM (#13414230)
  • by Mensa Babe (675349) on Saturday August 27, 2005 @05:10AM (#13414233) Homepage Journal
    It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.
    • by dotslashdot (694478) on Saturday August 27, 2005 @05:23AM (#13414268)
      Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)
      • by shutdown -p now (807394) on Saturday August 27, 2005 @07:05AM (#13414488) Journal
        Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on.
        Well maybe the developers should learn more about operator overloading and multiple inheritance, like, how to use them properly, instead of whining endlessly about how "C++ sucks for that very reason"? You know, start with some decent programming language like Eiffel, which was designed from grounds-up to handle both these cases very nicely. See how MI is used there, why is it used, and what it can do in skilled hands that SI+interfaces can't. Then maybe you will be able to learn to comprehend the power Lisp macros give to the programmer (I'm half-expecting someone to shout "but macros are evil because they can be abused, that's why C sucks!").

        Speaking of abuse, pretty much every language can be abused to no end. Java is no exception. It won't stop you from making public fields, for example, which is generally considered a bad thing to do. Nor will it limit write access to them from outside the class (in contrast to Eiffel, where public fields are read-only from outside). The whole type system is a big mess as well (int vs Integer, anyone? and now with autoboxing?).

      • C++ sucks for that very reason
        No, developers who abuse these features suck.
    • by rjshields (719665) on Saturday August 27, 2005 @07:34AM (#13414548)
      If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing
      Multiple inheritance is best avoided for clarity (multiple interface inheritance is OK). Operator overloading is rarely useful and often abused. Java is a strongly typed language and this is not going to change ("dynamical typing" doesn't mean anything by the way).

      Some of these points are misinformed and you missed out the things that bug people most about Java, the lack of deterministic finalisation and direct memory control, so it looks like your intellect is not superior after all. People who really do have superior intellect do not need to boast about it, it shows through in the things they do and say.
  • by Anonymous Coward on Saturday August 27, 2005 @05:18AM (#13414248)
    C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.

    C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.

    C is obviously too complex for the average CS student who crouch from one alternative to the next.

    Java? .NET??? ...amusing.
    • You are trying to be funny, but I'll bite. .NET and Java are clearly a much cleaner subset of C++, with many runtime features. Both are designed to do away with many legacy programming features (like pointer arithmetic). These features will only take your eye off your original target (for a small speed advantage, granted).

      These languages are less error prone and easier to debug. Therefore, they are the tool of choice for someone to create a program within a certain timeframe, a program which sources that ca
  • by vdex42 (858798) on Saturday August 27, 2005 @05:18AM (#13414250)
    Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

    It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
    * Easier exception handling.
    * Transparency with the whole string class/primitive issue.
    * Really easy to create and catch events.

    The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

    • 2 more months and we should have VS2005, the devs promised it wouldn't touch code and would produce valid xhtml.

      If it does, that's a good (although somewhat late) improvement (which should've been a free upgrade, since I consider the absence of that 'feature' a bug).
    • Add to that that you basically have half the classes sitting with a thin layer on a 20 year old api designed with no security at all in the mind of the developers and some stuff basicall moved 1:1 over.... .Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.
      • The whole point of a a virtual machine is to sandbox your code. So it doesn't matter how un-secure the layer is that is running it. The only way to get out of the virtual machine and buffer overflow the real PC would be to first buffer overflow your virtual machine, or find some other type of vulnerability in the VM first. Which as this article points out is pretty solid.
      • by zootm (850416) on Saturday August 27, 2005 @06:51AM (#13414454)

        Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.

        You can't do that unless you're P/Invoking worse code, or running in the unsafe mode, both of which are similar to running a JNI interface with which you could do the same thing

        The CLI system is sandboxed, the underlying API is hidden and — in general, unless there's a problem with the implementation of the system — its shortcomings are essentially hidden.

        • But it is almost a given that in any large application someone somewhere dipped into the PInvoke toolbox to get something done. I haven't seen many .NET GUI apps of any large size that don't dip into PInvoke. Usually it was because the developers were familiar with the older Win32 API and didn't feel like doing things right, but still. You don't really see that in Java nearly as often. I have used JNI code a handful of times in 3 or 4 years of Java development and it is almost encouraged my Microsoft to PIn
      • Among other things, .NET security model allows you to forbid the execution of "unsafe" code assemblies - which includes all those trying to do P/Invoke calls to underlying OS API.
    • Easier exception handling.

      Now, I'll grant it's easier (since you don't have to!), but in systems where reliability is a requirement the lack of checked exceptions can be a bit of a hassle, too easy to overlook and requiring good documentation (which, on the other hand, is a good thing).

      Transparency with the whole string class/primitive issue.

      Java does have autoboxing as of 5.0, but I know that's not really what you're on about. Being able to switch on strings and so on is handy though. Their special

  • Totally bogus (Score:4, Interesting)

    by Anonymous Coward on Saturday August 27, 2005 @05:19AM (#13414253)
    Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
    Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
    Saying that .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.
    • They don't say that security is better in .net than in Java.
      They say that the .net security model is better. If you don't use it, or don't use it correctly, or even if it is implemented badly, then actual security might be worse, but the potential is there to be better. /RS
    • Re:Totally bogus (Score:3, Insightful)

      by tommck (69750)
      I wonder why all these MSFT bashers keep coming in as Anonymous.... .NET managed code is NOT rare. People who write .NET code interfacing with unmanaged code are usually porting existing applications.

      Comparing this security to a native Java app is like comparing a Java app with JNI calls to an exiting C or C++ app. The code is only as secure as the other code it is trusting.

      Apples and Oranges

      P.S. Your last analogy makes no sense whatsoever
  • Source code access (Score:5, Insightful)

    by boa13 (548222) on Saturday August 27, 2005 @05:20AM (#13414258) Homepage Journal
    First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

    Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

    So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

    Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

    However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

    So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

    Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.
    • by Johnno74 (252399) on Saturday August 27, 2005 @06:02AM (#13414348)
      Most of the source code for .Net is available here [microsoft.com] - Its called "rotor" and is Microsoft's open source implementation of .Net. It doesn't cover the complete framework, but it includes the runtime, C# compiler, and the parts of the framework that were submitted to ECMA.

      Anyone is free to download, modify and distribute rotor, it compiles on OSX and BSD. I believe someone has modified it to compile and run on Linux. Unfortunately the license prohibits commercial use...

      The major differences between Rotor and the full framework are a simplified garbage collector, and a simplified JIT compiler. Microsoft aren't saying how much of the framework code is shared between Rotor and the full version, but I've been told by people with access to the source that the answer is "pretty much all of it"
      • by fcgreg (670777)
        Please spare us the repetition of this specious argument. Since you cannot even tell us with any degree of certainty how much of Rotor is used in .NET, nor which parts of the framework, we can't even have a discussion about it in this context.

        Oh wait... you have it on good authority from an unnamed source that MS uses "pretty much all of it". Hardly a good basis for discussion.

        Sorry.
    • The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

      Here's the Rotor source code [microsoft.com] from MS. Feel free to pore over it looking for vulnerabilities.

      True, it's not the exact same source code that's in the downloadable .NET runtime, and it's missing a lot of the libraries that make .NET what it is. However, it does implement som
  • Age vs Usage (Score:2, Interesting)

    by ErrorBase (692520)
    I've seen the crossplatform remarks already, but no one asked the question yet about how widespread implementations are. I currently see much more .Net implementations in Intranet environments, and java when the client is less known. my guess is that those more local implementations are much less scrutinized. opposed to the much more open and directly accesible implementations in java.
  • hardly objective (Score:4, Insightful)

    by jilles (20976) on Saturday August 27, 2005 @05:31AM (#13414281) Homepage
    Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).

    Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and .Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.

    Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
    • "The most widely publicized security issue in .NET was W32.Donut, a virus that took control of the excecutable before the .NET runtime had control. Since the vulnerability occurs before the .NET runtime takes control, we consider this a problem with the way the operating system transfers control to .NET, not with the .NET platform"

      Isn't the whole point with a VM that the executable will never be directly exposed to system resources? Why doesn't the same thing happen to JVM? As far as I can see, this revea

  • Java has run everything a sandbox from version 1.0. I wonder how they twist this into a claim that it had no security.
  • by JeremyALogan (622913) on Saturday August 27, 2005 @05:49AM (#13414318) Homepage
    Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

    However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?
    • by iapetus (24050) on Saturday August 27, 2005 @06:27AM (#13414395) Homepage
      Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."
      • by boa13 (548222) on Saturday August 27, 2005 @06:47AM (#13414438) Homepage Journal
        I want to know which one is better for my needs now.

        And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

        What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

        Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

        (And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)
  • by freeplatypus (846535) <freeplatypus@NoSpAm.gmail.com> on Saturday August 27, 2005 @06:00AM (#13414341)
    .NET
    price: free, You only need to have Windows 2003 Business Server for serious work
    secure: rtfa in few years to make sure
    portable: it runs on many systems, like Windows and ... Windows ... but not all of them.
    speed: well actually speedy on Windows machine
    IDE: brilliant Visual Studio, unfortunatelly no plugins

    Java
    price: free, well it is free
    secure: most likely as secure as Your application
    portable: well actually, even my SonyEricsson cell runs it :)
    speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
    IDE: Eclipse and/or Netbeans ROCKS!

    This reply seems biased, but well, almost every opinion will be biased.
  • by Anonymous Coward
    As a side note NASA World Wind uses .NET:

    http://worldwind.arc.nasa.gov/ [nasa.gov]

    It's similar to Google Earth, except that its 180MB and once you download it it tells you you need to upgrade your version of .NET, and another dialog pops up saying Direct X needs to be upgraded too. At this point, I decided not to continue. I don't fancy reading one of MS's EULAs, don't care to download one of their hulking tarballs, don't want Direct X changed in case it breaks something.

    Piece of shit Nasa, .NET is just a wrapper for
  • by iksrazal_br (614172) on Saturday August 27, 2005 @06:32AM (#13414406) Homepage
    I think this article overlooks the fact that many 'free as in speech' third party security libraries and frameworks are available for java.

    1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:

    http://acegisecurity.sourceforge.net/docbook/acegi .html/ [sourceforge.net]

    2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.

    http://xml.apache.org/security/ [apache.org]

    http://ws.apache.org/wss4j/ [apache.org]

    3) Container managed security implemented in every servlet container on the market, including tomcat.

    In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.

    "None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"

    iksrazal

  • Whatever that would be. Use an operating system that gives you memory protection, and even better: capabilities (rights to read/write files and other things), and you can run ANY program, written in ANY language, without the programs even being ABLE to do any harm.

    Oh, that would be too much of progress, wouldn't it?
  • Heh! (Score:5, Insightful)

    by miffo.swe (547642) <daniel.hedblom @ g m a i l .com> on Saturday August 27, 2005 @06:37AM (#13414419) Homepage Journal
    The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

    I lack words.
    • Re:Heh! (Score:3, Insightful)

      by cpu_fusion (705735)
      I completely agree. This single point alone screams, "ignore this study! it's biased!"

      Either the people writing the study are purposefully distorting their own data, or they are idiots, or both.

      Expect more acts of desperation from Microsoft marketing as Java continues to dominate the enterprise server space.
  • by tod_miller (792541) on Saturday August 27, 2005 @07:30AM (#13414543) Journal
    Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...

    Now look at this: In this paper we explore the more optimistic hypothesis that .NET's design is fundamentally more secure than Java's

    So they have a bent from the start to discredit Java. Onto my point:

    Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.

    This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

    No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

    They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).

    There are many possible explanations for the .NET platform's apparent lack of security vulnerabilities.
    One possibility is that .NET is a less desirable platform for attackers to compromise than Java so it has
    not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the .NET
    framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
    with a large number of machines using .NET, the .NET platform presents an attractive target.


    Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

    From the available information, the one implementation that did have many of its own
    unique vulnerabilities was Microsoft's Java implementation,


    They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.

    I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.

    This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].

    pteeesh.

    To confirm you're not a script,
    please type the word in this image: binomial

    random letters - if you are visually impaired, please email us at pater@slashdot.org
    • This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

      No, your reply is FUD, just like Goslings stuff about untrusted code. I won't waste my time explaining why it was FUD, that was already well-covered in the Slashdot comments [slashdot.org] around that article.

      ...JNI still works within the security model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

      You just m

  • Good, wonderful. Now back to the real world.

    Thanks. GJC
  • It's been done (Score:3, Informative)

    by Anonymous Coward on Saturday August 27, 2005 @08:05AM (#13414630)

    This is news? ONJava [onjava.com] did a detailed, four-part analysis of .Net and Java security a year or so ago:

  • by callipygian-showsyst (631222) on Saturday August 27, 2005 @11:05AM (#13415405) Homepage
    saying that due to careful design process, .NET presents security advantages over Java platform in several areas

    Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.

    Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.

    I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.

  • In addition (Score:3, Insightful)

    by doc modulo (568776) on Saturday August 27, 2005 @11:14AM (#13415467)
    .NET is Free source (as in free speech, mono or dotGNU)

    Java isn't
  • by gregluck (668236) on Saturday August 27, 2005 @12:12PM (#13415805)
    C# includes the "unsafe" keyword to allow a block of code to run outside the verifier.

    The study authors say "Since a security policy cannot be enforced on unmanaged code, we only consider managed code." Given that most C# applications use unmanaged code, they are potentially vulnerable to buffer overflow attacks and the like.

    C# has been criticised repeatdely in the security community for this feature. Java always runs in safe or managed mode and is therefore more secure than C#.

    For more on what unsafe code means see http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dncscol/html/Csharp10182001.asp [microsoft.com]

    That the authors of the paper make conclusions about C# security, while deliberatley excluding a gaping hole, and the papers appearance on an MS site leads me to the belief that the paper was probably sponsored by MS and they directed the study authors to exclude unmanaged code from the scope.

    Bill Caelli, one of the world's leading security experts, humiliated a Microsoft representative over unsafe code and stated that "Microsoft had missed an historic opporunity to improve security in their products".

  • by 51337 (833354) on Saturday August 27, 2005 @12:31PM (#13415916)
    There are at least 9 security flaws in .NET. The paper conveniently dismisses them all as not being part of the framework even though Microsoft classifies them as such on their Knowledge Base. This is only to justify their pretty little chart in the introduction showing that .NET has zero security flaws. If .NET has zero security flaws... nevermind. The paper is deception.
  • by Bill_the_Engineer (772575) on Saturday August 27, 2005 @03:09PM (#13416861)
    This paper is a paper from a Grad Student, with an endorsement from Dr. David Evans. These papers (despite what the author may think) are not definative and MUST be contrasted with other papers on the subject.

    With all due respect for the author(s), I have the following questions:

    Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.

    Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.

    Why are there a SMALL number of peer-reviewed articles directly related to JAVA?

    Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?

    What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?

    Why the microscopic view of JAVA's flaws and the lack of depth in .NET?

    Why isn't the dangers of native code discussed (.NET or JNI)?

    I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?

    I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.

    Regards, Bill

White dwarf seeks red giant for binary relationship.

Working...