Bill Joy's Takes on C#

f00zbll writes: "Cnet is running an article by Bill Joy on security and how it relates to C# and Microsoft at large. BJ quotes verbatim: 'C# provides the ability to write unsafe code. In unsafe code it is possible to declare and operate on pointers, to perform conversions between pointers and integral types, to take the address of variables, and so forth.'"

So what?

[mosch]

Since when does the ability to use pointers mean that something is wrong? C allows a lot of 'unsafe' code to be written, yet we're all using operating systems writting in C, with very little trouble caused by the OS itself.

Sure, it'd be great (for Sun) for everybody to rewrite the world in Java, but in reality nobody can justify requiring 50% higher CPU usage in exchange for the ability to let programmers be careless.

I'm not saying Java is a bad thing at all, merely that C# isn't any worse than C, C++, perl or python. It's a shame when a press release manages to get linked from slashdot's main page, but that's all this is. Sorry Joy, but I'm not buying it.

Re:So what?

[BlackSol]

Uhmmm How many buffer overflow exploits & crashes have there been of the years?

But I do love C though...

Re:So what?

[Hiro+Antagonist]

I think the difference is that .NET and C# are designed as a network-based platform; e.g., you grab code off of the 'net as you need it, rather than storing everything locally. Having "unsafe" code in such an environment is utterly suicide, as it allows pretty much anybody who can put code on the network for you to use can do what they want to your system.

Java actually does the opposite of "letting programmers be careless"; it forces them to be pedantic. In Java, you *have* to check that data is formatted properly, or your program will throw an exception and die. You have to properly typecast objects, define variables, and return from non-void functions, or the compiler will return an error. Java forces the programmer to handle all the boring, tedious work of making sure their code handles error conditions in a proper manner; because if it doesn't, the program will crash. But it will never allow access to the system outside of the JVM -- making Java a very safe network application platform.

Re:So what?

The willingness of people to post without knowing the fundamentals of .Net astounds me.

You need a special security privilege to run unsafe code. Code downloaded from the net doesn't have this permission, so it can't run unsafe code.

Re:So what?

[good-n-nappy]

Or wait until Microsoft adds a dialog box that says "Allow unsafe code from Microsft? 'OK' 'CANCEL' 'ALWAYS TRUST MICROSOFT'"

Then the problem is transferred to the weakest link - the user. Just like a Word file that asks if you want to run macros. How many users always know when they should say yes?

Re:So what?

[Hiro+Antagonist]

There's also (in theory) a special security privilege to run "potentially harmful" ActiveX scripts or Outlook macros; yet they seem to slip through on a regular basis. I have little faith in Microsoft's ability to successfully implement a decent security model, based on their track history alone. The JVM doesn't provide any memory manipulation capabilities whatsoever, so even massive bugs in the JVM don't necessarily open up your entire system. I'd place a bet that there are ways around C# security.

I will admit that I'm not fantastically well-versed in .NET (who is?), but I do understand the fundamentals.

Furthermore, using code that handles memory directly is a lousy way to implement platform independent software; why do you think there are so many little-to-big-to-little endian conversion functions in C?

Re:So what?

[SirSlud]

The very existance of such an 'unsafe' flag allows for the possibility of a bug in the VM's security architecture that /could/ (I said could) allow malicious coders to flag their 3rd party code as 'safe', or otherhwise circumvent said facility.

I think the issue at hand here is one of transparency. If this goes the way MS wants it to go, you'll likely not be aware of when you're computer is fetching code to execute from the network, so you've very little idea of the risks you expose your computer to. You're left with far more possible ways of exposing remote users to malicious code. Should you: trick them into thinking it's local code via a dialog? trick the VM into thinking its local code? exploit the requirement for the 'unsafe' flag in order to run unsafe code? There are now numerous ways of going out attempting to execute unsafe code on remote boxes.

Now, take C, which, yes, most apps are written in, but you download them, install them, and go through a process that essentially makes you aware that your computer now has additional code residing on it, which /could/ be malicious.

Then take Java, where you /shouldnt/ be able to write unsafe code. A much safer (better, faster, etc are not the issue here) approach when you're dealing with situations in which you might be transparently running execution code fetched from remote untrusted or unfamiliar locations. Only a bug in the VM could lead to code being allowed outside the sandbox, and even then, there is nothing in the language that could let the casual programmer attempt to munch memory, etc ... I'm apt to believe this kind of achitecture likely leads to less possible problems than the .Net approach (of allowing unsafe code at the 'discretion' of the VM). Basically, there are far fewer 'paths' to exploit in the VM in order to execute malicious unsafe code in user memory, and once an exploit is discovered, you still can't really use java to write memory sniffers or access devices, or whatnot.

Ah well. Thats my 2 cents, from what I understand. For transparent remote-code network applications, I'll take Java's slow-but-safe approach any day of the week over MS's yet-to-be-fulfilled promises of being able to properly manage their own can of (marktable) worms.

Re:So what?

[Hiro+Antagonist]

There is a gross difference between Javascript and Java; Javascript is an in-brower scripting language with a rather vague specification. Java is a different beast entirely.

Java applets are actually different from Java applications; they don't have the ability to interact directly with the contents of the hard drive, in addition to all of the other limitations running in the JVM. The most malicious things that a Java applet can do are make lots of windows (not a problem on a Unix box), or present false information to the user -- essentially, Java applets are no more harmful than HTML.

I direct you to a pertinent section of the CERT/CC Malicious Web Scripts FAQ:

Should I disable Java applets?

The risk associated with Java applets is significantly different
from some of the other technologies. Java has a robust security
mechanism designed to deal with situations like these that prevents
sensitive information from being disclosed or client information from
being damaged.

However, Java applets written by an attacker can still be loaded
while your are viewing a legitimate web page. The problems that can
arise are similar to those involving the and other HTML
tags. For example, an attacker could develop a "Trojan Horse" program
that presented misleading information and prompted you for a password.
If you failed to recognize the malicious applet for what it was, you
could accidentally disclose sensitive information.

You must make your own determination about disabling Java applets,
based on your tolerance for these risks. If you choose to disable
Java, please see the detailed instructions below.

Re:So what?

[GSloop]

So, it would be perfectly OK for GM to put a "change oil" button on the dashboard of all cars. When you push the button, all the oil is dumped out of the engine.

Every year around 250,000 people destroy their cars from this button.

Who's problem is it? The user - probably. But it's GM's problem too. Any problem that occurs in significant numbers is a DESIGN problem. Sure, the user shouldn't, but good design will make it more difficult for a user to screw themselves. It will ALWAYS still be possible - the goal is to make it less likely that the user will do so unwittingly.

Thus, MS's bugs are mostly MS's fault. They don't care about decent design. To blame the user is a cop-out.

Cheers!

Re:So what?

[Shiny+Metal+S.]

You're right. If there were no chainsaws, people wouldn't cut off their fingers with them. But that would also mean that other people won't be able to effectively do their work.

My point is, that when your first priority is to protect stupid people from doing stupid things, you often also protect smart people from doing smart things.

Maybe I'm just old-fashioned, but I like to understand decisions which I make.

But I don't know if you understood me, I was commenting:

Just like a Word file that asks if you want to run macros. How many users always know when they should say yes?

and I said, that:

It's a good practice to not agree for anything you don't understand... When you don't know if you should say yes - just say no.

Do you really disagree with that?

Re:So what?

[Lazarus+Short]

I'm not too well-versed on .NET (or compiler/interpreter issues in general), so maybe this is a stupid question, but just because C# has features to manipulate "pointers" doesn't necessarily mean that you're really playing with actual memory addresses, does it? It could just be an (internally bounds-checked) index into a big ol' byte array or something, right?

e.g.

print(foo);
// interpreter looks up "foo" in the symbol
// table, gets (e.g.) 23, and outputs memory[23]

fooaddr = address_of(foo);
// interpreter looks up "foo" in the symbol
// table, again gets 23; looks up "fooaddr",
// gets 24, and does memory[24] = 23

fooaddr = fooaddr + 10;
print value_at(fooadr);
// interpreter compares fooaddr (which is 33) to
// mem_size (which is 30), and dies (or whatever)

As long as you test in your "value_at" function, you should be clear (from this particular problem, at least)

Oh, and nice nick, BTW.

Re:So what?

[Anonymous+Brave+Guy]

Uhmmm How many buffer overflow exploits & crashes have there been of the years?

Many. Then again, how many OSes written in Java have their been over the years?

Re:So what?

[km790816]

On a side note: Does anyone really expect Joy to say anything even remotely suportive of C#. Even if C#/.NET was the greatest thing since sliced bread, (I'm not saying it is) does anyone really expect anyone from Sun, especially one of the guys that created Java, to say anything possitive, supportive?

It's like asking BillG his opinion on Linux or LarryE his opinion on DB2.

Let's keep things in perspective, kids.

Trustworthy Code

[SteveX]

You can use C# to write "Unsafe" code, but it's the runtime that ultimately decides whether or not to let it run. For example, if the VM that the browser creates tries to launch a C# app downloaded from the Internet, and it's "Unsafe", the CLR will refuse to run it.

Difference between C# and ActiveX in this case is that in ActiveX, everything is "Unsafe" and you either take it or leave it. In Java, of course, everything is "safe". C# can go either way.

I really hope that Microsoft simply makes it impossible to run "Unsafe" CLR code in the browser. Not even an option.

- Steve

C# FUD?

[glh]

This sounds like FUD. He didn't really post any examples about what kind of problems C# has for security, that would have been helpful.

I think a lot of people are upset because MS has actually come out with something that can compare with Java finally.. The ability to write unsafe (unmanaged is what that really means, meaning the garbage collector and built in memory management features of the CLR won't touch it) is an added bonus to Java.

I think the real question is- how secure is the .NET common language runtime?

The Furor about C#

[Astral+Jung]

I still don't understand what's so evil about C#. If you don't want to use it, you don't have to. But personally, I find that not using C# leaves a sizable gap in several different keys, meaning a lot of stuff comes out just sounding wrong.

Re:Music lesson...

[Ieshan]

And actually, that stands for C-Sharp, not C-Flat at all. You could call it D-Flat, but that'd be like a boob-job gone wrong instead of a programming language.

FUD machine in overdrive

[coonsta]

To serious developers not familiar with C# and .NET, either don't read Joy, or be willing to look into the details yourself. You could be embarrassed if you repeat the gist of this article as lore. At the very least, you can easily convince yourself that this article is bogus in that it doesn't mention that C# has three kinds of pointers-- managed, unmanaged and transient.

C# does allow pointers and pointer manipulation. This is mostly for programmers seeking extra performance. Like a cast in Java, declaring code as "unsafe" is equivalent to saying to the VM, "Hey, I know what I'm doing." C# pointers are definitely not as liberal as C ones (just like casts in Java are not as liberal as casts in C).

For those sincerely seeking an intelligent discussion of pointers in the CLR, see Gough, J. "Compiling for the .NET Common Language Runtime (CLR)" Prentice Hall, NJ 2002.

Re:FUD machine in overdrive

[roca]

> Like a cast in Java, declaring code as "unsafe" is
> equivalent to saying to the VM, "Hey, I know what
> I'm doing."

This is wrong. A Java downcast is dynamically checked and cannot compromise the integrity of the virtual machine. It is not "unsafe" in any meaningful sense of the word.

Uhhh, its supposed to......

[CDWert]

Uhh, and the problem with this is ???????

All lll allow this, C3 may not be a lll but theyre trying to appeal to the uper end of that segment.

C# allows you to write managed, OR unmanaged code as well, This is an option. As well as the coders ability to write "unsafe" code. YOU MUST INTENTIONALLY flag the code to be written as UNSAFE !

If you dont know what you are doing and choose to do this so frigging what ???

C# has the fundementals of a good language, forget its from MS, if it where from GNU, you;d be eating it up saying look how much better it is. I am looking forward to working with it, the .NET Visual Studio is written in C# itself , it should be pretty thouroughly debugged before its released.

Play with it for a week , if youre a beggining C programmer youll love it, if youre experienced, youll love it for the same reasons, My bet is most of the people bitching havent read or written a single line of C#, if have and dont like it Id like to know explicity WHY ?, Ms bashing aside.......

Taint mode?

[chrysalis]

A language can be both 'safe' and 'unsafe'. Take a look at Perl. You can do a lot of insecure things with it. But as soon as you launch with the -T switch, your script will run in a special mode. Values coming from an insecure source will be refused by potentially dangerous functions, unless you explicitely mangle them before the call. This is extremely powerful and prevents a lot of classical security flaws.

I don't know much about C#. But a taint mode for it would make the language pretty safe, despite the presence of pointers.

Re:Taint mode?

[crawling_chaos]

Two words: buffer overflow

A "taint" mode would do nothing to catch these. Perl doesn't let you manipulate pointers and storage directly, so it's no big thing there. C#'s unsafe mode code does, and that's the big problem.

The ultimate secure language

[mrroot]

There's been alot of controversy lately over security holes in programming languages. There is one language that has stood the test of time and proven to be the most secure language of all, with a record zero (0) reported security holes.

Here is the link if you want to learn more.

Joy FUD Club

[Master+Of+Ninja]

Yep, I think the guy's getting quite jealous of MS. Love or hate these people, the .net programming specification look very powerful, and coupled with the hard-as-nails win2k/xp combination, they will be quite hard to compete against.

What Sun should really do is get off there behinds and match C# for features. From what I understand (not much admittedly), the Java VM just has to be extended to give it the breadth of additional languages that the CLI has (in terms of being able to use unsafe methods if the programmer wishes, so allowing C to work through it). The problem with Java has MS has the dominant desktop (and a good one it is now - really this is fact if you have to use them all day long), and they have the "standard" tools for programming. This will generate massive mindshare, and might get everyone from VB to C# (at least being "safe" might be good for programs knocked up at home).

On an unrelated topic, I think cloning the fundamentals of C# to a open-source basis is a very good idea. I might not agree how ximian are going about it, but at least the FSF has a parallel project that can bring the new language to the world - it could persuade casual safe programming, while allowing the breadth of accessing the OS directly.

When it comes to web services, I honestly can't see the difference between Java and C# (apart from the fact everyone will use C# as the MS-sponsored dominant language). It's all down to FUD: the .net services are basically going to be the same as before - just with a .net after them, and maybe re-written in C# now.

Java is great, but Bill Joy think he should go get it optimised - working faster, able to compete effectively with C#.

Re:define "unsafe" again please

[watanabe]

The reason that one considers working with pointers unsafe is that, for example, in C, one uses the pointer to get at an actual location in memory, and do something with what is there. Programmers frequently want to work quickly and directly with the actual bytes in RAM; for example a 10x10 integer array may be implemented in C for performance / algorithm reasons as a 1 dimensional array of 100 integers.

The problem occurs when the programmer writes their code to work through that array using pointer / address arithmetic. Perhaps the programmer is one byte off in their math, but only on the 100th integer. That is, they read the 101st number.

Maybe the 100th number is 99% of the time 0, and 1% of the time is 1 (I know, I'm mixing my bits and bytes, but, bear with me, please). The 101st number is just some random value in RAM. It might be 0, or it might be 1. It might be used by some other structure, it might not be used. YOU DON'T KNOW. However, the bug will only show up in the event that you use the number, and that the number is different than you expected. Those two don't happen so often. Ergo -> Jane programmer spends two weeks of her life tracking down a random crash triggered by a function that relies on that last value being 0 based on certain preconditions.

This isn't about computers crashing, it's about memory error bugs. I once wrote a ray tracer which got the colors terribly wrong once the light sources got too bright. After some checking, it turns out my light values weren't being capped at 8 bits. They were overwriting into the adjacent byte, and screwing up color values for pixels near them. Oops. Things like that don't _ever_ happen in Java, say.

Sun shouldn't be complacent

[astrashe]

Obviously Bill Joy knows a lot more about this stuff than I do; but I think he, and many of Microsoft's critics as well as supporters, are missing a crucial piece of the puzzle.

Many of the features that have contributed to MS's insecurity were there not because MS's engineers were too dumb to think clearly about security, but because other people decided that there was an overriding business interest that the features would serve.

Specifically, these features usually tend to be part of the MS strategy of leveraging success in one sector into another. If you use office, it makes sense to choose VB as your scripting language. If you know VB, it makes sense to run IIS. That's why there's a VB interpreter inside every office app.

I think that what we've seen from MS is an official change in policy -- they're saying that business considerations now suggest that security should be the #1 priority. They're admitting that the market will punish them for security holes, and that they can't sacrifice security to establish leverage from one sector to another.

MS has always put business concerns over technical ones. For that reason, a lot of /. posters have make comments to the effect that MS isn't capable of delivering technically. It used to be the conventional wisdom here, for example, that any MS OS was destined to crash repeatedly.

It turned out that when MS saw Unix and Linux as a threat, and when they decided that reliability was one of the biggest advantages that Unix/Linux offered, they took reliability seriously and made enormous progress in a relatively short period of time. This suggest that Windows crashed not because MS *couldn't* make it reliable, but because it wasn't a *priority* for them to do so. As soon as they saw a change in the business climate on the edge of their radar screen, they changed their behavior.

Windows and its applications haven't been secure because MS hasn't felt it was worth making security a priority until now. There is no evidence that they couldn't cover a lot of ground very quickly in security if that's what they decided to do. And it seems as if they've decided to do just that.

I do agree that .NET and C# are technologies that predate this new ordering of MS's priorities, and that they probably won't be very secure. Passport, the most important .NET application yet written, coded by people who ought to know the technology best, has been hacked (and patched, it's only fair to point out). If MS's people don't write secure apps with .NET, are the low end VB coders the platform is designed for going to do a better job?

But the problem that Sun faces is that MS has proven time and time again that they're willing to spend lots of money and go through lots of iterations to take a market. They're relentless. They usually don't get it right the first time, but they usually do get it right after four attempts or so.

I'll say something else that will probably get me modded down. After the recent flirtation between AOL and RedHat, I'm not sure that the moralistic arguments against MS hold up so well. Linux has been at the center of some pretty slimey stock swindles -- our gracious hosts, here at /., work for one of those companies.

Meanwhile, the Bill and Melinda Gates foundation is giving extraordinary sums of money to real nuts and bolts making the world a better place kinds of causes. Gates could literally turn out to be the most significant philanthropist in the history of the world. They're giving so much money that you can almost see a chunk of what you spend on MS going to a good cause.

All of which suggests to me that politics and the morality play that have always clouded the linux vs. windows debate should probably be put to rest.

Windows is horribly insecure -- viruses do incredible damage in the real world, especially among the least sophisticated users. That's not political, that's a fact.

But they're saying they're trying to clean up the mess. Sure, it's a big mess, and sure it's going to be a big job to clean it up. I give them credit for admitting it, and to taking on the task.

Re:define "unsafe" again please

The key point here is memory safety, which C (and C#'s with the unsafe keyword) lack. In a language with memory safety, buffer overrun vulnerabilities and the like can't happen.

Typically, memory safety is tied to type safety. (But, memory safety really has nothing to do with pointers. For instance, SML/NJ allows pointers, but is memory safe, since the type system won't let you treat an integer as a pointer. In SML/NJ, the type system essentially provides you with a proof that your code is memory safe). So, if your code type checks, it *is* memory safe.

The two concepts are distinct, though. Java is memory safe, but you can break the type system with casting. So their is no *static* guarantee that your code is memory safe, but the VM includes runtime checks to make this a dynamic guarantee.

Where do you get your facts?

[Carnage4Life]

I think the difference is that .NET and C# are designed as a network-based platform; e.g., you grab code off of the 'net as you need it, rather than storing everything locally.

Really??? What gives you this idea? Java + VM is relatively equivalent to C# + CLR (as mentioned in my article that appeared on Slashdot a while ago). Code can be downloaded from the Internet and run just like with Java applets or RMI applications but this is far from the primary design of the platform .

Of all the people in the world I'd expect to criticize a technology without adequately reading up on it first, Bill Joy would have beemn one of the last I'd expect to do such a thing.

Bill Joy (and your post) go on and on about the vulnerability of network programming then ends with the reference to unsafe code which aims at giving the impression that downloaded .NET code can be unsafe. However this is incorrect, and I quote

From a technical viewpoint, the term unsafe refers to whether the program is known to be safe. Before a program is converted from intermediate language (IL) to native code, there's a part of the runtime security system known as the verifier that looks at the IL to determine whether it's safe to execute. In this context, safe means that the verifier can prove that the IL doesn't do anything unsavory.

IL safety is important for certain Microsoft .NET scenarios--it's nice to know that the chunk of code that you downloaded from a Web site isn't going to do anything bad to your machine. The default policy for remote code (either from a Web site or from a net share) is that the code must be verified safe to execute.

In other situations, it's useful to write code that can't be verified to be safe. In C#, any use of pointers generates unsafe code, as does any use of interop, such as COM interop or platform invoke.

Since you don't want to write such code inadvertently, C# requires you to use the unsafe keyword on your class or method whenever you write code that deals with pointers. When you use the unsafe keyword, the resulting IL is marked as unsafe and can only run in a fully trusted environment (usually, security policy only trusts local assemblies). In the current version of the runtime, unsafe is defined at an assembly level, so having any unsafe code in assembly makes the entire assembly unsafe.

Re:Where do you get your facts?

[cicadia]

First off, Joy admits that code declared as unsafe "cannot be executed in an untrusted environment," at least according to the spec. He goes on to point out that we're trusting Microsoft's implementation here, which hasn't always been the best policy, at least for security issues.

> When you use the unsafe keyword, the resulting IL is marked as unsafe and can only run in a fully trusted environment

This bit still scares me. Does this mean that the C# compiler marks the IL as unsafe, and that the CLR trusts this marking? If that's the case, what is there to stop someone from bypassing the compiler, and editing the IL directly? (And please don't tell me it has anything to do with signed, trusted code :)

At least the Java model is based on fairly solid theory. The environment has a lot of nice properties which make it easy for the JVM to ensure that all code executed is safe. It begins with the position, "don't trust this code," and refuses to execute anything which it cannot prove to be safe. It doesn't rely on the programmer, or the compiler, to flag unsafe sections of code.

Re:Where do you get your facts?

[west]

Everyone seems to assume that most C# programs will not have unsafe constructs, making it generally practical to disallow code with unsafe constructs.

I'm willing to bet that most C# code will contain unsafe constructs. Programmers mostly come from a C background and, like all other humans, are basically lazy. Since unsafe code is both faster and easier to write, there will be tremendous impetus to write unsafe code so as "to get it done now".

With enough code that has unsafe constructs in it, system admins/users will end up allowing unsafe code to run by default.

In almost all cases, users want the maximum features and least security possible. Java's "least secure" mode is a lot better than "C#"s. Therefore Java is likely to be a lot more secure than C#. Blame the users? Sure. But it's the security that is actually used that counts, not what's available.

Re:define "unsafe" again please

[markmoss]

First off, I'm primarily a hardware engineer, who writes small programs in C or assembly that deal directly with hardware. So I use pointers and other "unsafe" code a lot; they are both extremely useful and extremely frustrating when it comes to debug time.

Pointers let you use just about any arbitrary number as an address and poke data in there. The virtual memory system might block this on the grounds that you don't have a page at that address -- but not all computers have the hardware to do that, you can still do horrible things by writing to the wrong place in the pages you do own, and if the protection does block the misplaced write, the resulting invalid page error is not pretty from the user's point of view.

Pointers can be used safely -- if you program very well, like checking every address before you use it (which takes a hell of a lot of extra code), or checking the data going into the pointer calculations to ensure that no way could a wrong value come out (which assumes you didn't make any programming mistakes). And if it is a case of running downloaded code where there is a finite chance that the programmer is _maliciously_ misusing pointers, there is no way for the computer to analyze the code and detect this before you run it. Hence Microsoft's attempt to make internet and e-mail user friendly by automatically running any included executables spawned a plague of viruses, worms, and trojans...

C++ gives you the choice of traditional pointers or references. A "reference" is a sort of super-pointer that includes data on where valid targets must be, and gets checked for validity every time you use it. I don't do Java, but I am under the impression that it uses references only. That isn't enough in itself to prevent writing Java viruses, but it gives the OS a fighting chance of confining them to the sandbox...

OTOH, no computer is going to run entirely on "safe" code. At some level, the code has to read and write hardware registers. To do that, you take the numeric address of the register, and use that as a pointer. True, a good, secure OS would confine all such activities to drivers, which can only be installed by the administrator, who ought to know the difference between a driver and a trojan. But Microsoft doesn't write OS's like that -- NT/2000/XP is rather improved on DOS where direct writes to the video card were almost mandatory, but the security is still swiss cheese.

Incidentally, the original reason for C allowing all sorts of unsafe activities (pointers everywhere, strcpy with no length check, etc.) was performance. Checking the length of a string every time it was used took CPU cycles and RAM to hold the extra machine code. So the creators of C left it up to the programmer to shove in an if statement to check the length when the string was input, and to do the math and pop in another if statement anywhere it was possible for the string to grow too long. This was efficient, but puts quite a load on the programmer. About that time, I was running an 8 bit computer with 16K of RAM, clock speed under 1M, and all the accounting, class schedules, grade reports, etc. for a small college went through it. Efficiency was important! Now, who's going to notice whether the program runs in 1 millisecond or 2? It's better to be reliable. And it's necessary to get the program up and running pretty fast -- that's a lot easier if you don't have to worry about pointers going wild except when you do go to the hardware.

In C# apparently the programmer has the choice of using references and avoiding all "unsafe" code, or of declaring a module "unsafe" and programming any way that gets the job done. By making "unsafe" a PITA, they've encouraged programmers to avoid it except when absolutely necessary. I have a suspicion that once the coders get used to it, that will increase their productivity overall. In addition, it gives any tool that may run code from outside a quick way of determining whether the code was written to be safe or not. In theory...

I have serious doubts about whether that (being able to run "safe" C-sharp programs) will actually work. First off, won't a virus-writer be able to hack the tags that say "unsafe"? Second, ways to do unsafe things in "safe" code will be discovered. Third, if your OS has security like swiss cheese, no program is going to really be safe. Do e-mail viruses actually have to do anything that isn't allowed?

From what I've heard, Microsoft's idea of securing Outlook was to have it look at the HTML tag, and if it said executable pop up a warning which is incomprehensible to the people who are actually ignorant enough to get e-mail viruses. ('Yeah, it's from a trusted source. See the "From" line...') But if the HTML said "text", then it passed the attachment on to the Windows "open" command, which determines the type of the attachment by looking at the attachment, and if it was .exe or dozens of script-containing formats, it would let it run. Surely virus writers wouldn't be _dishonest_ and change the HTML tag so their .exe's would slip through...

Until that sort of thinking changes, giving people a way of tagging the programs "safe" or "unsafe" is just asking for trouble.

Re:Sandbox for compiled code?

[josepha48]

On Linux while(1) fork() may take down the whole system. Also while (1) malloc(1024) may start to cause problems as well. Other UNIXes can be attacked by runaway proceses as well. Windows and UNIX have that problem. One process that goes awire can take down just about any system if it has the provelidges. Especially if it is run suid or as root.

Building a system with the sandbox design in minds is easier than taking an existing system and putting it in a sandbox. Active X is already out there. How do you handle the existing Active X and put that in a box? You'd basically have to redesign active X. Word, Excell and Access all rely heavily on VB macros. How do you put them in a sandbox? Actually that may be easier to do but it would also be limiting. In the sandbox that Javascript runs in you are not supposed to be able to access files on the users filesystem. (note not supposed to there have been errors on that though). The idea was there though.

Okay so you operate it in a GUEST account. If that guest is set up or can access files there goes security.

The reality is that 28 days is not enought time to focus on security and Microsoft does not have a good track record when it comes to security. While it may be possible to start building in security into the existing system. Security is a continuous effort that must be thought of as part of the design. When a programmer creates a new language they must start to think security right off the bat. This was done with Java, but not C#.

I say good luck Microsoft, but you have a lot of work ahead of you to prove to me that you can get security right without comprimising usability.

Sun's FUD

[markj02]

The use of "unsafe" in C# is roughly analogous to the use of JNI in Java: modules using unsafe features (or native code) are identifiable as such by the runtime, and applications with security needs can exclude them. As such, C# isn't any less safe than Java. In practice, the C# approach is likely to be safer and more secure than the Java approach, since using "unsafe" inside a C# program is much more localized and much easier to get right than writing a JNI module.

Furthermore, C# isn't even going after the same market as Java. Java's security model primarily comes into play for applets and mobile code, but that's only a tiny fraction of all applications. C#'s purpose in life is to allow programmers to create desktop and server applications more easily. For that purpose, an easy and robust interface to native code (regular expression libraries, XML parsers, etc.) is much more important than security.

The major problem with C# isn't technical, the major problem is that there aren't any good implementations available yet (no, Microsoft's implementation isn't all that great yet) and that C# comes from Microsoft. But once there are C# implementations that are competitive with Java implementations and once C# has a life outside Microsoft, C# will be a serious threat to Java. And we may see a truly open source, efficient implementation of C# before we see one for Java.

For the time being, I still think Java is the more logical choice for open source applications. It may yet be a few years before competitive C# implementations and libraries come along. Sun still can keep their lead by innovating and extending the Java platform, cooperating with the open source community, and being honest about the strengths and limitations of the Java platform. But if Sun continues along their current course, they will lose sooner or later.