Slashdot Mirror
Comparison of Java and .NET security
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....
I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(
Friends don't let Friends use Internet Explorer.
In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.
Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security. .NET has no such thing. .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community,
Saying that
I've seen the crossplatform remarks already, but no one asked the question yet about how widespread implementations are. I currently see much more .Net implementations in Intranet environments, and java when the client is less known. my guess is that those more local implementations are much less scrutinized. opposed to the much more open and directly accesible implementations in java.
"The most widely publicized security issue in .NET was W32.Donut, a virus that took control of the excecutable before the .NET runtime had control. Since the vulnerability occurs before the .NET runtime takes control, we consider this a problem with the way the operating system transfers control to .NET, not with the .NET platform"
Isn't the whole point with a VM that the executable will never be directly exposed to system resources? Why doesn't the same thing happen to JVM? As far as I can see, this reveals that the .NET system is having issues controling it's applications, which to me is a major security flaw.
"Operator overloading, multiple inheritance? Are you crazy?"
;)
Operator overloading is great, as long as it is done in a sane fashion. If you define a class that can be added and subtracted, it helps greatly to be able to use '+' and '-' to do so. Multiple inheritance, otoh, is indeed a can of worms.
"C++ sucks for that very reason when it comes to a production environment"
I guess that accounts for why it never was a commercial success
.NET ... Windows ... but not all of them.
:)
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins
Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!
This reply seems biased, but well, almost every opinion will be biased.
As a side note NASA World Wind uses .NET:
.NET, and another dialog pops up saying Direct X needs to be upgraded too. At this point, I decided not to continue. I don't fancy reading one of MS's EULAs, don't care to download one of their hulking tarballs, don't want Direct X changed in case it breaks something.
.NET is just a wrapper for Windows on the local machine, why didn't you just make native code you f**** idiots.
http://worldwind.arc.nasa.gov/
It's similar to Google Earth, except that its 180MB and once you download it it tells you you need to upgrade your version of
Piece of shit Nasa,
Whatever that would be. Use an operating system that gives you memory protection, and even better: capabilities (rights to read/write files and other things), and you can run ANY program, written in ANY language, without the programs even being ABLE to do any harm.
Oh, that would be too much of progress, wouldn't it?
Well, I use .NET to build web apps which run on our corporate intranet. These are HR, purchasing, scheduling and budgeting apps that run a medium-sized film production company. We have a mix of clients (600+) - Linux, OSX and Windows - in roughly equal numbers that access these applications. Ironically, I picked .NET simply becaue we had the hardware and license resources available after consolidating a lot of W2K3 servers into a few Netapp filers. The browser we use is Firefox because it's the only one that really works in a uniform fashion across all platforms in a way you can predict and work with.
.NET has not meant lock-in to MS products, it's actually allowed us to use the best tools for the jobs in hand; .NET for the back-end code, Firefox as a browser, and any OS you need for your particular job. Has it locked us in to MS products? No.
So, my apps run on a bunch of Windows boxes behind the scenes, but ultimately using
I'd agree with you about Mono though, it reminds me of many hair-losing moments I had a few years ago converting someone's classic ASP code to run on that Chilisoft approximation. Bits worked, bits didn't, and this is what I'd expect from Mono. YMMV though.
ikvm-0.14.tar.gz +
eclipse-JDT-SDK-3.2M1.zip
IS BETTER AND MORE SECURE than
jdk-6_0-ea-bin-b49-linux-amd64-25_aug_2005.bin
By + + + J.C. Pizarro + + + ATH OK.
Now, I'll grant it's easier (since you don't have to!), but in systems where reliability is a requirement the lack of checked exceptions can be a bit of a hassle, too easy to overlook and requiring good documentation (which, on the other hand, is a good thing).
Java does have autoboxing as of 5.0, but I know that's not really what you're on about. Being able to switch on strings and so on is handy though. Their special handling of strings seems a little "non-OO", but it eases development and is mighty handy.
Yes. Yes. Yes. Delegates are a fantastic construct.
Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...
.NET's design is fundamentally more secure than Java's
.Net.
.NET platform's apparent lack of security vulnerabilities. .NET is a less desirable platform for attackers to compromise than Java so it has .NET .NET, the .NET platform presents an attractive target.
.net runs on 15% of that figure.
Now look at this: In this paper we explore the more optimistic hypothesis that
So they have a bent from the start to discredit Java. Onto my point:
Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.
This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the
No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.
They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).
There are many possible explanations for the
One possibility is that
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using
Well, yes, windows runs on 90% of desktops, I would say
From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,
They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.
I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.
This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].
pteeesh.
To confirm you're not a script,
please type the word in this image: binomial
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
In this world nothing is certain but death, taxes and flawed car analogies.
I couldn't agree more. And I've been around long enough to know, look at my user ID.
/. article posted about how much it has been going down hill.
/. seriously needs to return to the site of "Stuff that matters." Instead there are 20 articles posted a day and only a few of them are actually worthy of posting. Maybe there should be a recycling bin page you can go to which has all the drivel, leaving just the good stuff on the front... like a newspaper -- the crap should be shuffled to page 2 or more.
Why is it when you have an unpopular view point, you're considered a troll. Granted the opinion expressed didn't apply to the article directly, so it might be better modded as "off-topic", but it isn't as if there will be a
How else is one going to express their viewpoint?
Time flies like an arrow;
Fruit flies like a bananna
Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.
Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.
I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.
Best Buy can have you arrested
Java runs on Solaris/SPARC, Solaris/X86, Windows, MacOS, and Linux. As soon as Microsoft starts supplying .NET for those platforms, on similar terms to what Sun offers, then I'll consider using it. In addition, a GPL compatible RFND patent license for every 'invention' required to implement .NET and the framework would give them a step up on Java. Until then, I'll pass, thanks anyway.
... i see you never used Borland Delphi.
Having used many development tools like Emacs, VIM, SciTe, kate, Eclipse, Visual Studio.Net and Delphi, i gotta say Delphi is the best IDE i've used hands down.
Simplicity and high productivity is the key here.
You don't have tons of floating dialogues, icons, buttons and drop-downs poluting your interface just for no other reason than to show off and make you feel like your investment was well worth it
No, just the right form designer, object inspector and class hierarchies, along with the project manager. Less bloat and complexity, more productivity...
KISS.
I don't feel like it...
I'm not sure a language forcing security is a good thing. It seems to me writing secure systems is really the responsibility of the development team. Especially since different situations call for different security levels and methodologies.
With all due respect for the author(s), I have the following questions:
Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.
Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.
Why are there a SMALL number of peer-reviewed articles directly related to JAVA?
Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?
What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?
Why the microscopic view of JAVA's flaws and the lack of depth in .NET?
Why isn't the dangers of native code discussed (.NET or JNI)?
I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?
I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.
Regards, Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Java is mined with software patents. The core of .NET was submitted to an international standards body which won't let any submissions be encumbered by non-freedom-adjusted patents. It would make the standards body irrelevant.
.NET
In other words, Sun could pull the plug on an open-source rival version of Java in the US and Japan if it becomes the dominant programming platform. Microsoft won't be able to pull the patent card on the freedom versions of
Sun better shape up, they're losing, it's only guys like you that haven't caught on to the trap/mine that's keeping Java on the marketing/hype list #1
In my humble opinion.
- -- Truth addict for life.