Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Re:Difference in ages

[Three+Headed+Man]

Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?

.NET? Is this thing still around?

[Mensa+Babe]

It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.

Re:.NET? Is this thing still around?

[dotslashdot]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)

Re:.NET? Is this thing still around?

[shutdown+-p+now]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on.

Well maybe the developers should learn more about operator overloading and multiple inheritance, like, how to use them properly, instead of whining endlessly about how "C++ sucks for that very reason"? You know, start with some decent programming language like Eiffel, which was designed from grounds-up to handle both these cases very nicely. See how MI is used there, why is it used, and what it can do in skilled hands that SI+interfaces can't. Then maybe you will be able to learn to comprehend the power Lisp macros give to the programmer (I'm half-expecting someone to shout "but macros are evil because they can be abused, that's why C sucks!").

Speaking of abuse, pretty much every language can be abused to no end. Java is no exception. It won't stop you from making public fields, for example, which is generally considered a bad thing to do. Nor will it limit write access to them from outside the class (in contrast to Eiffel, where public fields are read-only from outside). The whole type system is a big mess as well (int vs Integer, anyone? and now with autoboxing?).

Re:.NET? Is this thing still around?

[Procyon101]

I've got to use the same arguement for Multiple inheritance. It absolutely great when done in a sane fashion. The occassional default implementation of an interface, or even more useful, inheriting from policy classes for decoupling are great uses of multi-inheritance. It's the OOP nightmare of deep, wide inheritance trees that leads to gouging your eyes out insanity and prayers for single inheritance, just like seeing an overloaded comma and tertiary is likely to make you swear off operator overloading. But that's a symptom of crazy programming, not a crazy language construct.

They looked at Java and improved it!

[vdex42]

Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.

The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

Re:Difference in ages

[kbw]

Performance over time is a measure of success. And so .NET's performance over 9 years would be a fair comparison.

Over the years I've seen many remarkable architectural designs, including the Windows NT Security Model (back when NT meant New Technology), which were thought to be ideal. 11 years on, no one could seriously claim that the Windows security model is ideal.

Source code access

[boa13]

First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.

hardly objective

[jilles]

Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).

Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and .Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.

Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.

blah... flawed logic

[JeremyALogan]

Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?

Re:blah... flawed logic

[iapetus]

Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."

Re:blah... flawed logic

[boa13]

I want to know which one is better for my needs now.

And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)

Heh!

[miffo.swe]

The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

I lack words.