Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Re:Had to switch from Java to .NET

[ars matica]

you're kidding me, right? anyone who actually has used Visual Studio will acquiesce that is the best IDE ever conceived. Even the most hardened OS automatons. If by chunks you mean chunks of superiority then yeah you are exactly right.

Re:Except...

[goobster]

This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

Re:Difference in ages

[Three Headed Man]

Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?

Brr...

[MemoryDragon]

wake me up... when .Net ends to be a vehicle to lock users and developers more and more into windows... From day 1 .Net was designed to lure over the Java devs so that they get rid of the dangerous cross platform capabilities of Java! And dont come with Mono we all know where it stands!

.NET? Is this thing still around?

[Mensa Babe]

It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.

They looked at Java and improved it!

[vdex42]

Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.

The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

Re:Difference in ages

[kbw]

Performance over time is a measure of success. And so .NET's performance over 9 years would be a fair comparison.

Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.

Source code access

[boa13]

First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.

Mod parent down

[Anonymous Coward]

http://dictionary.reference.com/search?q=dynamical [reference.com]

Re:.NET? Is this thing still around?

[dotslashdot]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)

hardly objective

[jilles]

Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).

Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and .Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.

Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.

1 point for .net, -10 for Windows

[Xtian]

Okay, so, .net is designed better. Now, unfortunately the thing only runs under MS Windows. Windows is a rather poorly designed Operating system . So, your .net is better, but it only runs on a OS with major security issues.

How far does that get you?

blah... flawed logic

[JeremyALogan]

Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?

Re:They looked at Java and improved it!

[MemoryDragon]

Add to that that you basically have half the classes sitting with a thin layer on a 20 year old api designed with no security at all in the mind of the developers and some stuff basicall moved 1:1 over.... .Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.

Re:Yeay! Security plus portability minus cost...

[sosume]

ok, I feel a strong need to shamelessly plug the .NET platform and refute your arguments..

>.NET: price: free, You only need to have Windows
>2003 Business Server for serious work
>portable: it runs on many systems, like
>Windows and ... Windows ... but not all of them.

mono and .GNU works on bsd, linux and windows. You are not required to use the System.Windows namespace if you're not developing for windows.
You shouldn't look at anything older that windows2 000 though..

>IDE: brilliant Visual Studio, unfortunatelly
>no plugins

really now. They are called 'add-ins'.

>Java: price: free, well it is free

Sure, but not as in beer. Can I independently create my own JVM and distribute it?

>secure: most likely as secure as Your application

Sure, you can always trust the developer.

>speed: a bit clumsy, but hey, almost all >1GHz
>desktop PC can run Java application in very
>responsive manner (Eclipse, Netbeans, Azureus,
>etc.)

Sure. So if i want speed i should just add more machines.

>IDE: Eclipse and/or Netbeans ROCKS!

and all that in a very slow manner indeed..

Re:blah... flawed logic

[iapetus]

Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."

Re:Professionals use C for everything

[Anonymous Coward]

C is not as portable as it seems. Just because there is a C compiler does not mean that any program written in C runs on a platform.
It is complex indeed. Which is not good. It is the cause for many errors which are hard to find. (Strings in C are about the worst you can get.)
Professionals who use C for everything should be fired because they should use a language suitable for the task instead.

Heh!

[miffo.swe]

The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

I lack words.

Re:blah... flawed logic

[boa13]

I want to know which one is better for my needs now.

And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)

Re:Source code access

[fcgreg]

Please spare us the repetition of this specious argument. Since you cannot even tell us with any degree of certainty how much of Rotor is used in .NET, nor which parts of the framework, we can't even have a discussion about it in this context.

Oh wait... you have it on good authority from an unnamed source that MS uses "pretty much all of it". Hardly a good basis for discussion.

Sorry.

Re:Source code access

[fcgreg]

True, it's not the exact same source code that's in the downloadable .NET runtime, and it's missing a lot of the libraries that make .NET what it is. ...
----------

<sarcasm>
But other than all that... it's a pretty good match!
</sarcasm>

Sheesh.

Re:.NET? Is this thing still around?

[shutdown -p now]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on.

Well maybe the developers should learn more about operator overloading and multiple inheritance, like, how to use them properly, instead of whining endlessly about how "C++ sucks for that very reason"? You know, start with some decent programming language like Eiffel, which was designed from grounds-up to handle both these cases very nicely. See how MI is used there, why is it used, and what it can do in skilled hands that SI+interfaces can't. Then maybe you will be able to learn to comprehend the power Lisp macros give to the programmer (I'm half-expecting someone to shout "but macros are evil because they can be abused, that's why C sucks!").

Speaking of abuse, pretty much every language can be abused to no end. Java is no exception. It won't stop you from making public fields, for example, which is generally considered a bad thing to do. Nor will it limit write access to them from outside the class (in contrast to Eiffel, where public fields are read-only from outside). The whole type system is a big mess as well (int vs Integer, anyone? and now with autoboxing?).

Re:Heh!

[cpu_fusion]

I completely agree. This single point alone screams, "ignore this study! it's biased!"

Either the people writing the study are purposefully distorting their own data, or they are idiots, or both.

Expect more acts of desperation from Microsoft marketing as Java continues to dominate the enterprise server space.

Re:Difference in ages

[STFS]

The difference in age has something to do with it... you can't say that the "score" is 45 - 0 because the 45 vulnerabilities have been reported over 9 years for Sun. However, the chart clearly shows that in its first three years the Java platform was already up to 15 vulnerabilities while .NET is still at 0 after 3 years out.

Re:Had to switch from Java to .NET

[hwangeruk]

Stop personally insulting each other.

VS.Net 2003 has lots of issues, certainly around web projects. It sure lacks refactoring, and it does not highlight errors without a compile.
All Java advocates here are shouting Eclipse, but the Java pro's I work with use IntelliJ. Sometimes paying for something is better.
VS 2005 has impoved alot, and for doing .Net you would have to be mad to use anything else. Even the lovely/cute Sharpdevlop could not be used for real serious development even though I adore their whole project.
I'm downloading Eclipse now to take a look at it again, but if its the usual Java sluggish/ugly normal Java client stuff we are used to then I won't be using it for very long. .Net does rock, I don't like the security paper that started this threads obvious bias, but .Net is newer so its no surpise the design has some advantages. Java and .Net can live in the world together, there is no need to get hysterical or get in a fight about. You eat veggies, I'll eat the meat, meat and vegatable can coexist, get over yourselves.

Re:Just don't put .Net on a network

[wdmr]

By MS consultant I mean he was a Microsoft employee from their professional services division acting as a consultant to help resolve issues with the application. So call bullshit all you want.

Yes, we restricted the port ranges but guess what? When you do that on a SQL server box it crashes under load and MS was never able to resolve the issue. These was true even if the restricted range was very large or very small.

Where did I ever say "one box"? I said flat which means in one network segment.

As I said in my first post, "there may be a better way to implement .Net". I guess it would have been too much for someone to just post information instead of resorting to calling me a liar. :)

Re:Nonsense, utter nonsense

[Peaker]

writing oo in c when you have c++ is stupid, you entirely fundamental basics of oo-concepts such as inheritance, encapsulation and the like.

Inheritance (at least single-inheritence) is easy in C, you can just create the first member of your object (struct) be an instance of another object. Thus, you can cast up (by dereferencing that member), the only difference being that the cast up is explicit (not necessarily such a bad thing!). And you can cast down implicitly by using casted function pointers that take the subclass pointer (works because it is the first member in the struct).

As for encapsulation, you get that in C simply by encapsulating all you want in the same module. Hiding the data and code you want in the C side and exposing what you want in the H side. Sure, you can't enforce the hiding the private data in your struct, but you can hide it by convention.

Also note that in C++, you can't really enforce the data hiding either, i.e:

#define private public
#include "some_class.h"

Interoperability?

[Bandit0013]

Am I reading this correctly? A common claim from the java crowd for superiority is how it has better interoperability? That is one of the least important things in a business today.

If you look at the statistics Windows 2003 server is really catching on with businesses, that advances the .NET platform.

There's this thing called XML web services, if you've been living under a rock or just plain closed your eyes to the real world this means that you can communicate with any system, so Java as a web platform has lost its major advantage it once had over MS products.

In fact, the ease of installing a server, the cleanness of .NET, power of ASP .NET means that in a company you can now embrace your beloved linux for the worker desktops, have one microsoft server running ASP .NET / SQL Server, and service the entire company with one application that is cheap and easy to build.

That is why .NET is starting to knock the socks off java in the business world.

For client side apps java is still the winner for multiplatform... but outside of handhelds it's largely irrelevant b/c Windows dominates the desktop market.

Re:They looked at Java and improved it!

[jallen02]

But it is almost a given that in any large application someone somewhere dipped into the PInvoke toolbox to get something done. I haven't seen many .NET GUI apps of any large size that don't dip into PInvoke. Usually it was because the developers were familiar with the older Win32 API and didn't feel like doing things right, but still. You don't really see that in Java nearly as often. I have used JNI code a handful of times in 3 or 4 years of Java development and it is almost encouraged my Microsoft to PInvoke things when you need more power/control.

Jeremy

Re:Totally bogus

[tommck]

I wonder why all these MSFT bashers keep coming in as Anonymous.... .NET managed code is NOT rare. People who write .NET code interfacing with unmanaged code are usually porting existing applications.

Comparing this security to a native Java app is like comparing a Java app with JNI calls to an exiting C or C++ app. The code is only as secure as the other code it is trusting.

Apples and Oranges

P.S. Your last analogy makes no sense whatsoever

Re:who cares?

[Tarwn]

There is absolutely no point to .NET when it only runs on windows.

How many companies are purely Windows shops? I would think that given that one fact (and ignoring mono, .GNU, etc) there might be a reason for the existence of .Net.

Don't get me wrong, I'm not a .Net zealot by any measure, though I do write a good bit of it at work. Work being mostly a Windows shop with only two linux boxes and one Mac (compared to 5-600 windows boxes). We don't care if Java works on desktops and servers, we're not going to write an applicaiton that will need to run on both. The closest we'll come to that is a distributed application that could easily be C# on one side and Perl on the other because we don't create applications that both have the user interface and server capabilities all bundled into one executable.

And as far as running cel phones to an existing application, we decided to go the web-based route. There is no Java front-end or back-end requirement. Hell, you could easily have a Java front-end and C# back-end if you wanted, but we went with html front-end and C# back-end (though I was pushing for PHP :P ).

i'm not really familiar with .NET, but seeing as it only runs on windows it really makes no sense to me.

And if you work in a mixed shop tat does require application functionality that is exactly the same across multiple platforms, I can see your point. However, in a Microsoft house you have the option of choosing your tools to fit the job. Maybe Java will be the best fit or maybe .Net will be the best fit, but once you choose one then it makes sense to continue using that one technology in most places to standardize your infrastructure as much as possible (software-wise, not necesarally OS-wise).

Re:My take on the first 'graph' used

[MobyDisk]

This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

No, your reply is FUD, just like Goslings stuff about untrusted code. I won't waste my time explaining why it was FUD, that was already well-covered in the Slashdot comments [slashdot.org] around that article.

...JNI still works within the security model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

You just made that up hoping most readers have never used JNI. That isn't how JNI works. It works very similarly to how .NET works. And you can, if you write code to do so, completely screw with the native security model using JNI.

Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

I would love to know where you got that figure. It might be right. But without some facts behind it that is a meaningless attempt to belittle .NET.

So they have a bent from the start to discredit Java.

You just misunderstand: that is a reasonable way to start an academic paper: Begin with a hypothesis, and test it. If they were trying to write something subtly biased, they wouldn't start by telling you. They would hide it with words like FUD which is in nearly every paragraph you wrote.
It's actually good to do it that way because you can't do research until you have a hypothesis, otherwise you don't know what you are measuring. You have to establish that basis before doing the research, not after.

One last personal request: Using bold all over the place at random looks kinda like USING LOTS OF CAPS and doesn't help make a point. I recommend using bold on no more than one or two words in a paragraph.

Re:Had to switch from Java to .NET

[khchung]

Ever heard of refactoring?

It seems most moderators haven't heard of it either, as nobody modded you up yet.

I am Eclipse/Java guy now working on a VS C# project. Anyone who thinks VS is great please tell me how to do these automatically in VS.Net 2003 (I am admittedly a novice with the VS interface, so I am hoping these things are actually doable):

1. Generate getter and setter so I don't have to type them all by myself!
   
2. Automatically rename the namespace of in the file when I move the file between folders/projects, AND update other classes that references the moved class.
   
3. Automatically rename the class name when I rename the file, AND update other classes that references the renamed class.
   
4. When I rename a member method/variable name, automatically other classes that references the method.
   
5. Fix the damn web reference caching so hell won't break loose after methods in a web service has been changed. We have to end up rebooting the machine to get other projects to compile after stuff in a referred web service project changes (Yes, we have tried "update web reference").
   
6. Ever heard of "Extract method"?
   
7. Let me "generate method" when it found a method called does not already exist.
   
8. Let me rename method parameters or local variables and auto-rename all uses in the rest of the method.
   

In addition

[doc modulo]

.NET is Free source (as in free speech, mono or dotGNU)

Java isn't

Good try, but no

[hao2lian]

The main reason to use Java is that its cross-platform. If you think Microsoft's plan is to lure over Java developers to a platform that's locked into Windows from a platform that runs on who knows how many platforms, you have another thought coming to you.

Re:.NET? Is this thing still around?

[btobin]

C++ sucks because of poor design decisions made around features like multiple inheritance, not because of inherent problems with MI. Eiffel and Common Lisp both support MI without any of the blow-your-leg-off problems C++ introduces. Learn something other than Cxx/Java, it's a big world out there.

Re:.NET? Is this thing still around?

[Procyon101]

I've got to use the same arguement for Multiple inheritance. It absolutely great when done in a sane fashion. The occassional default implementation of an interface, or even more useful, inheriting from policy classes for decoupling are great uses of multi-inheritance. It's the OOP nightmare of deep, wide inheritance trees that leads to gouging your eyes out insanity and prayers for single inheritance, just like seeing an overloaded comma and tertiary is likely to make you swear off operator overloading. But that's a symptom of crazy programming, not a crazy language construct.