Comparison of Java and .NET security

prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."

Except...

Except it run on Windows.
D'OH!

Difference in ages

In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.

Re:Difference in ages

[Three+Headed+Man]

Do you really think that age has anything to do with current vulnerabilities, or does security stem from good design, rather than patches?

Re:Difference in ages

[boa13]

That's a lot of variations, platforms, etc,

Actually, 10 of the 45 vulnerabilities that the authors chose to use in the chart were (or are?) in Microsoft JVM.

I think including them in the chart is misleading at best.

PDF text

Text conversion of PDF document

Professionals use C for everything

C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.

C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.

C is obviously too complex for the average CS student who crouch from one alternative to the next.

Java? .NET??? ...amusing.

They looked at Java and improved it!

[vdex42]

Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.

It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.

The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£

Re:They looked at Java and improved it!

[zootm]

Net can have lots of security features as long as you can pump a string directly into win32 in half of the classes, which triggers a buffer overflow everything is null and void in this article.

You can't do that unless you're P/Invoking worse code, or running in the unsafe mode, both of which are similar to running a JNI interface with which you could do the same thing

The CLI system is sandboxed, the underlying API is hidden and — in general, unless there's a problem with the implementation of the system — its shortcomings are essentially hidden.

Totally bogus

Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
Saying that .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.

Source code access

[boa13]

First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.

Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.

So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.

Now, question is, why are there no vulnerabilities discoveries in the .Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.

However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the .Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.

So, availability of source code might be enough to generate two or three vulnerability discoveries per year.

Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in .Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.

Re:Source code access

[Johnno74]

Most of the source code for .Net is available here - Its called "rotor" and is Microsoft's open source implementation of .Net. It doesn't cover the complete framework, but it includes the runtime, C# compiler, and the parts of the framework that were submitted to ECMA.

Anyone is free to download, modify and distribute rotor, it compiles on OSX and BSD. I believe someone has modified it to compile and run on Linux. Unfortunately the license prohibits commercial use...

The major differences between Rotor and the full framework are a simplified garbage collector, and a simplified JIT compiler. Microsoft aren't saying how much of the framework code is shared between Rotor and the full version, but I've been told by people with access to the source that the answer is "pretty much all of it"

Re:.NET? Is this thing still around?

[dotslashdot]

Operator overloading, multiple inheritance? Are you crazy? These things ultimately make code very difficult to maintain and scale because a developer can unnecessarily overload all kinds operations and make it difficult for others to figure out just what the hell is going on. C++ sucks for that very reason when it comes to a production environment. These are only useful in useless settings like school or maybe a Mensa meeting. Have you heard of Mensa? You should join. Especially because you are so subtle and humble about it. :)

blah... flawed logic

[JeremyALogan]

Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).

However, this study is flawed. .Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?

Re:blah... flawed logic

[iapetus]

Why is it wrong to compare them as pure equals? Speaking as someone wanting to implement a solution today, using today's technology, I want to know which one is better for my needs now. I'm not going to say "Well, Java sucks, but for the time it was great, so I'll use that instead of something that meets my requirements right now."

Re:blah... flawed logic

[boa13]

I want to know which one is better for my needs now.

And this is why the comparison is wrong. It does not compare them "now", it compares them "overall". Do you care about ten-years-old flaws that were quickly fixed and have not bothered anyone since then? I think not. Do you care about flaws in a special vendor version that no sane person uses now? I think not. Would you be interested in knowing that the above-mentioned flaws were created by the very vendor the proprietary technology of whom you are trying to evaluate? I think you should.

What should interest you is how many security issues are found per year. The article lets you learn that (even though it doesn't explicitly do the math for you). What should also interest you is how the Java community and Sun reacted to the flaws, how fast and how well they were fixed. The article is tight-lipped about that.

Actually, since no flaws have been found for .Net, there is no way to know how Microsoft will react in such a case. Past reactions should at the very least have you worried.

(And actually, there have been flaws, but the authors of the study chose to ignore them, see appendix A for why. Unfortunately, there's no appendix B for how they chose the Java flaws.)

Re:Had to switch from Java to .NET

[IWorkForMorons]

He doesn't know me...but I'm one...

I have quite a number of years experience with VS6, more specifically VB6. Recently I started a job that, while not a programming role, allows me the time and flexibility to create programs to do my job how I want to code them. At first, since this an MS shop, I grabbed the .NET "Learning Edition" or whatever they're calling it nowadays. I understood that I wouldn't be able to create executables, but I could send my code to systems and get them to do it. After using the IDE for a couple of days, I found it so convoluted that I just gave up. Then I downloaded Eclipse with the Visual Class editor. Nice, simple, and it reminds me of the VB6 IDE. Only cleaner. Now I will say that I've had some problems with the Visual Class editor not rendering properly, but that hasn't stopped me from coding. In 2 weeks of coding on and off, I've created my first program and have been using it to do my job. Granted, it's not complex. Just does a database search and grabs data. But I still prefer the Ecplise IDE, even without the Visual Class editor working properly, over the VS.NET IDE. And I don't need to jump through MS' hoops just to get an executable. I'm distributing the program to the rest of the team next week after the boss tests it, and other departments are getting interested in it too. And with any luck, I'll get out of this support position and into a nice well-paid programming job at the same time.

Yeay! Security plus portability minus cost...

[freeplatypus]

.NET
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and ... Windows ... but not all of them.
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins

Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it :)
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!

This reply seems biased, but well, almost every opinion will be biased.

Re:Yeay! Security plus portability minus cost...

[Richard_at_work]

Java: price: free, well it is free Sure, but not as in beer. Can I independently create my own JVM and distribute it?

Well, actually, yes you can. Theres nothing stopping you reimplimenting a JVM to the released specifications, infact Kaffe is one such reimplementation. Go get a book detailing the VM specifications and how to implement a good VM from Sun!

Open source java security projects

[iksrazal_br]

I think this article overlooks the fact that many 'free as in speech' third party security libraries and frameworks are available for java.

1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:

http://acegisecurity.sourceforge.net/docbook/acegi .html/

2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.

http://xml.apache.org/security/

http://ws.apache.org/wss4j/

3) Container managed security implemented in every servlet container on the market, including tomcat.

In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.

"None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"

iksrazal

Re:Just don't put .Net on a network

[dedazo]

The whole thing used DCOM

That's unfortunate, because .NET does not require DCOM at all.

DCOM uses RPC which means that firewalls have to allow the entire high port range

Yes, well, you can always open DCOMCNFG, switch to the protocols tab, select the TCP/IP entry and set the port range that suits you. Wow.

MS consultant all insisted this was standard and typical

An "MS consultant" told you you needed DCOM to jump over tiers with .NET and failed to tell you that you can select a port range to play nice with your firewall over the DMZ? Crap, I would have called his boss or the TAM at the regional office and have his ass fired.

consultant strongly urged not doing multi-tiered

You know what, while I don't doubt that there's someone dumb enough to recommend something like that out there, I really doubt it was an "MS consultant". Microsoft is moving away from heavy physical tier designs to avoid the wire overhead (which admittedly makes them look slightly stupid after years of telling everyone to use as many boxes as possible), but to recommend running the application and the database server on the same box is just plain retarded. MSCS (or whomever you were supposedly talking to) has some dumb people in the file and rank, but not *that* dumb.

I'm gonna have to call bullshit on your apocryphal story here, unless by "MS consultant" you mean some random dude that has an MCSD and has read "Software Fortresses" five times while moving his lips.

Heh!

[miffo.swe]

The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.

I lack words.

My take on the first 'graph' used

[tod_miller]

Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...

Now look at this: In this paper we explore the more optimistic hypothesis that .NET's design is fundamentally more secure than Java's

So they have a bent from the start to discredit Java. Onto my point:

Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.

This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the .Net.

No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.

They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).

There are many possible explanations for the .NET platform's apparent lack of security vulnerabilities.
One possibility is that .NET is a less desirable platform for attackers to compromise than Java so it has
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the .NET
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using .NET, the .NET platform presents an attractive target.

Well, yes, windows runs on 90% of desktops, I would say .net runs on 15% of that figure.

From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,

They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.

I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.

This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].

pteeesh.

To confirm you're not a script,
please type the word in this image: binomial

random letters - if you are visually impaired, please email us at pater@slashdot.org

Re:.NET? Is this thing still around?

[rjshields]

If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing

Multiple inheritance is best avoided for clarity (multiple interface inheritance is OK). Operator overloading is rarely useful and often abused. Java is a strongly typed language and this is not going to change ("dynamical typing" doesn't mean anything by the way).

Some of these points are misinformed and you missed out the things that bug people most about Java, the lack of deterministic finalisation and direct memory control, so it looks like your intellect is not superior after all. People who really do have superior intellect do not need to boast about it, it shows through in the things they do and say.

And that is the biggest problem.

[khasim]

It isn't which is really more "vulnerable".

It is how you define your criteria as to what is "vulnerable" and what is "safe".

They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.

Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index. html

Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.

Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.

The last thing to look at is any application built by someone else on that platform.

And one last item to consider. Any platform is only as "secure" as the level beneath it. If .Net can be exploited by a vulnerability in Windows, then it can be exploited. This is particularly important because Microsoft builds both platforms.

Here is where they get it wrong on Java:

Both platforms need some way of bootstrapping to install the initial classes and loading mechanisms. Java 1.0 used a trusted file path that gave full trust to any class stored on the path. Code on the system CLASSPATH was fully trusted, so problems occurred when untrusted code could be installed on the CLASSPATH [15]. Java 2 treats code found on the CLASSPATH as any other code, but maintains backwards compatibility by using the bootclasspath to identify completely trusted code necessary to bootstrap the class loader.

So, if Windows is compromised and code inserted to Java to run, then Java is at fault ... but if Windows is compromised and code is inserted for .Net to run, then that shouldn't count because the compromise happened before .Net was running.

Either you count it as a flaw in both, or you don't count it for either.