Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Re:Difference in ages

[Three+Headed+Man]

Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?

They looked at Java and improved it!

[vdex42]

Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.

The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

Source code access

[boa13]

First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.

Re:.NET? Is this thing still around?

[dotslashdot]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)

blah... flawed logic

[JeremyALogan]

Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?

Re:blah... flawed logic

[iapetus]

Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."

Re:blah... flawed logic

[boa13]

I want to know which one is better for my needs now.

And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)

Heh!

[miffo.swe]

The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

I lack words.