Don Box: Huge Security Holes in Solaris, JVM

DaHat writes "Don Box, one of the authors of the original SOAP specification in 1998, now an architect on Microsoft's next generation Indigo platform recently responded to James Gosling's remarks regarding huge security holes within the .NET Common Language Runtime (CLR). Don argues that the same 'flaws' that Gosling noted in the .NET CLR exist both within the Solaris operating system as well as the JVM, both of which support execution of C and C++ code, as well as explaining why this is not necessarily a bad thing."

I don't think anyone really read what Gosling said

Are we just going to have this continuing debate in which every side is inaccurately reduced to one slashdot-blurb-sized sound bite?

Anyway, JNI doesn't need to be a security hole of the sort Mr. Box mentions; one can concieve of a Java VM which disallows unsafe JNI code from touching the memory of the bytecode-verified safe code, by partitioning JNI execution into a separate process. In fact at least one such JVM implementation exists already.

Re:JNI is an API, not a platform...

For that matter you can say that any language which uses sockets for network programming or can write a file is unsafe.

Actually, yes that is a true statement which is why the .NET CLR allows you to tweak that out and explicitly deny those rights. (By default these rights are denied for applications running on a remote store.) And, as Don Box said, the unsafe keyword is not meant for daily consumption. To paraphrase, "normal programmers never use the unsafe keyword. It's a very low level integration API."

Re:JNI is an API, not a platform...

[squiggleslash]

IIS has orders of magnitude more worms and viruses than Apache, not security holes. (If you know different, please report all these security holes to the respective developers.)

In any case, that's not why IIS is a target. IIS is a target for a number of reasons:

1. The default web server (once you installed the Option pack) on NT4 was a version of IIS that had a couple of security holes.

2. IIS is almost certainly more popular than Apache on Windows-type servers. Yes, Apache runs on it too, but there's a mentality that goes with Microsoft products. With Windows being the most "popular" (well, most installed) operating system in existance, you'd expect it to be the home for most virus writers, and virus writers aren't going to want to write for platforms they consider obscure.

3. IIS always runs on Windows which almost always has the same CPU architecture (ie ix86) and APIs. Apache can run on a variety of platforms. Exploiting, for example, buffer overflows, is relatively difficult if you don't know the architecture, or even something as simple as how you can make system calls.

4. People hate Microsoft. Most people's views of Apache and similar systems are neutral at worst. I've never met or talked to anyone who hates Apache.

5. One serious hole is enough. Both Apache and IIS have suffered these in the past and probably will do in future (well, until Gosling rewrites Apache in Java ;-)

IIS is usually used as the proof to counter the argument that marketshare matters when viruses are written. I think this is always a bogus argument: IIS's marketshare is enough (it's not like writing a virus for GNU/Linux), and IIS is tied to an operating system that is the most installed in the world. It's fair to say it's the exception that, quite literally, proves the rule.

Re:Why "managed" == "denial"

[graznar]

There is great value in a "managed" system like the Java VM. It gives us an extraordinary amount of safety that we are frankly unaccustomed to.

Which I'm guessing your misinformation leads you to believe that .NET doesn't afford?


There is also obviously no way we can do everything that way. For hot code, we work at lower levels, put in more work, and (for now) accept the additional risks. Note that the constant stream of ugly worldwide security problems is gradually but now noticeably decreasing our apetite for doing everything that way.

Right...for "hot code" .NET developers use Interop to access lower level APIs and interfaces.


As far as I can tell, by allowing unmanaged code in the runtime, .NET gives you only the worst of both worlds.
I'm not really sure why you're wailing on .NET; security is a holistic effort. Your sysadmin needs to disable access to dangerous operations; the developer needs to put in place security measures (regardless of what language); the user needs to know how to operate software.

JNI does essentially the same thing as Interop. People who have been using JNI in its originally intended context don't see this, but some people use JNI to access lower level interfaces and APIs (such as shared memory, native APIs, etc.).

Now, of course, I'm sure you'll gloat about the proverbial "sandbox" that Java offers, but you fail to realize that .NET has this also. Try running an assembly off a remote store or even run a method through a remote channel. .NET's standard security is pretty high. It respects system permissions and principals, so I'm not sure why people keep saying it's some sort of apocolyptic risk.

Unmanaged isn't any different than writing a program and using JNI to talk to it.

Neither is really a security hole....

[Jaime2]

Let's take a look at how each technology can become a security hole: By remote execution of content presumed to be in a "sandbox".

.NET: Since unmanaged code is turned off by default for remotely loaded code, it will not be run by an unexpected trip to a web page.
Java: Since JNI won't work by default under the same circumstances, the newest virus won't be injected into your system by an evil web page.

Anything else is simply an architectural choice. MS likes to preserve compatibility while allowing you to move forward as quickly as posible. Sun wants you to rewite stuff in Java (for the most part), so the new stuff is more secure, but there will be more old stuff floating around that is still unsecure because we won't yet have found time to port it.

BTW, Code Access Security in .NET is sophisticated enough to allow some apps to use unmange code, but not others, or some users, or software from a certain publisher, and a bunch of other options as well. You don't have to simply "turn on unmanaged code". They even have a simply way to allow software publishers to communicate these settings to customers instead of letting Joe Blow admin decide to simply turn off security to make it work.

In summary, both technologies allow you to blow your own foot off if you aim the gun properly and squeeze the trigger. So what -- we were allowed to do that before these technologies came along and preventing you from being able to blow your own foot off will only slow adoption and cause more feet to be blown off.

C++ support in Java vs .NET

[DrXym]

Yes Java supports C++ native calls, but look at how bloody painful it is to do it. You have to define an interface, run it through a stub compiler, implement the stubs and use helpers to marshal types back and forth between C++ and their Java equivalents. It involves lots of files and lots of fiddling about.

The consequence of this is that no-one uses JNI unless they absolutely positively have to. It's a pain and life is much easier if everything is in Java. Thus with the exception of a few esoteric things such as SWT, most libraries are pure and portable.

Now contrast this with .NET. Writing native C++ and wrapping it in a garbage collection safe class involves no stub generation and can be done in a single file - the assembly info, interface and gc wrapper can all be specified in situ. Consequently it's a lot easier to pull C++ into a .NET application. MS DevStudio 2003 even has wizards to do it. It is also a lot easier to call DLLs and ActiveX from .NET since MS provide PInvoke and COM Interop to do just that.

Now on the face of it, this is all well and good, especially if you have a lot of legacy crap to port. But by the same token it means many more .NET apps are tainted than on Java. The problems this causes for portability should be obvious.

And this is called "Microsoft having their cake and eating it". They can expound portability and present the facade that .NET is cross-platform, when in reality they provide tools and wizards to ensure it remains anything but. Apps that are infested with native instructions and OS-specific calls are by definition unportable.

Mono demonstrates the problems faced in porting .NET to other platforms. Mono must literally pull in the whole winelib in order to cope with the number of tainted .NET apps that attempt to call out to Win32. And too bad if you're running Mono on a non-x86, non-Linux system since winelib is x86 only (for now).

And I don't see the situation getting any better. Perhaps if Mono gains momentum it might put the brakes on tainted code, but there is a long way for that to happen. I believe the only way Mono is going to make an impact is if ships with a cross-platform IDE with tools that default to its open source stack. This is almost a reality since ICSharpDevelop & MonoDevelop are both fairly complete IDEs but there is nothing yet which defaults to the open source stack and runs on all major platforms.