Slashdot Mirror
Comparison of Java and .NET security
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
Except it run on Windows.
D'OH!
Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....
I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(
Friends don't let Friends use Internet Explorer.
In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.
Text conversion of PDF document
It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.
Karma: Positive (probably because of superiour intellect)
C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.
.NET??? ...amusing.
C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.
C is obviously too complex for the average CS student who crouch from one alternative to the next.
Java?
Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.
It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.
The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£
Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security. .NET has no such thing. .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community,
Saying that
First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.
.Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.
.Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.
.Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.
Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.
So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.
Now, question is, why are there no vulnerabilities discoveries in the
However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the
So, availability of source code might be enough to generate two or three vulnerability discoveries per year.
Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in
Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).
.Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.
Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and
Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
Jilles
Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).
.Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?
However, this study is flawed.
Jeremy Logan's Website.
.NET ... Windows ... but not all of them.
:)
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins
Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!
This reply seems biased, but well, almost every opinion will be biased.
1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:
http://acegisecurity.sourceforge.net/docbook/acegi .html/
2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.
http://xml.apache.org/security/
http://ws.apache.org/wss4j/
3) Container managed security implemented in every servlet container on the market, including tomcat.
In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.
"None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"
iksrazal
That's unfortunate, because .NET does not require DCOM at all.
DCOM uses RPC which means that firewalls have to allow the entire high port range
Yes, well, you can always open DCOMCNFG, switch to the protocols tab, select the TCP/IP entry and set the port range that suits you. Wow.
MS consultant all insisted this was standard and typical
An "MS consultant" told you you needed DCOM to jump over tiers with .NET and failed to tell you that you can select a port range to play nice with your firewall over the DMZ? Crap, I would have called his boss or the TAM at the regional office and have his ass fired.
consultant strongly urged not doing multi-tiered
You know what, while I don't doubt that there's someone dumb enough to recommend something like that out there, I really doubt it was an "MS consultant". Microsoft is moving away from heavy physical tier designs to avoid the wire overhead (which admittedly makes them look slightly stupid after years of telling everyone to use as many boxes as possible), but to recommend running the application and the database server on the same box is just plain retarded. MSCS (or whomever you were supposedly talking to) has some dumb people in the file and rank, but not *that* dumb.
I'm gonna have to call bullshit on your apocryphal story here, unless by "MS consultant" you mean some random dude that has an MCSD and has read "Software Fortresses" five times while moving his lips.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.
I lack words.
HTTP/1.1 400
Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...
.NET's design is fundamentally more secure than Java's
.Net.
.NET platform's apparent lack of security vulnerabilities. .NET is a less desirable platform for attackers to compromise than Java so it has .NET .NET, the .NET platform presents an attractive target.
.net runs on 15% of that figure.
Now look at this: In this paper we explore the more optimistic hypothesis that
So they have a bent from the start to discredit Java. Onto my point:
Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.
This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the
No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.
They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).
There are many possible explanations for the
One possibility is that
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using
Well, yes, windows runs on 90% of desktops, I would say
From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,
They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.
I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.
This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].
pteeesh.
To confirm you're not a script,
please type the word in this image: binomial
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
This is news? ONJava did a detailed, four-part analysis of .Net and Java security a year or so ago:
Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.
Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.
I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.
Best Buy can have you arrested
The study authors say "Since a security policy cannot be enforced on unmanaged code, we only consider managed code." Given that most C# applications use unmanaged code, they are potentially vulnerable to buffer overflow attacks and the like.
C# has been criticised repeatdely in the security community for this feature. Java always runs in safe or managed mode and is therefore more secure than C#.
For more on what unsafe code means see http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dncscol/html/Csharp10182001.asp
That the authors of the paper make conclusions about C# security, while deliberatley excluding a gaping hole, and the papers appearance on an MS site leads me to the belief that the paper was probably sponsored by MS and they directed the study authors to exclude unmanaged code from the scope.
Bill Caelli, one of the world's leading security experts, humiliated a Microsoft representative over unsafe code and stated that "Microsoft had missed an historic opporunity to improve security in their products".
There are at least 9 security flaws in .NET. The paper conveniently dismisses them all as not being part of the framework even though Microsoft classifies them as such on their Knowledge Base. This is only to justify their pretty little chart in the introduction showing that .NET has zero security flaws.
If .NET has zero security flaws... nevermind. The paper is deception.
With all due respect for the author(s), I have the following questions:
Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.
Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.
Why are there a SMALL number of peer-reviewed articles directly related to JAVA?
Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?
What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?
Why the microscopic view of JAVA's flaws and the lack of depth in .NET?
Why isn't the dangers of native code discussed (.NET or JNI)?
I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?
I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.
Regards, Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
It is how you define your criteria as to what is "vulnerable" and what is "safe".
They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.
Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index
Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.
Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.
The last thing to look at is any application built by someone else on that platform.
And one last item to consider. Any platform is only as "secure" as the level beneath it. If
Here is where they get it wrong on Java: So, if Windows is compromised and code inserted to Java to run, then Java is at fault
Either you count it as a flaw in both, or you don't count it for either.