Share via

Comparing Java and .NET Security

  • Article

It's been a while since I've last seen a comparison of Java and .NET securityNathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned and Missed.

In their paper, Nathaneal and David take a bottom up approach to examining the security models of each platform.  They start with the opcodes that make up the instruction set of each virtual machine, and examine them both from an instruction set design perspective as well as from a verification perspective.  They use the SSCLI to compare verifier implementations between the CLR and Java.  From there, they look at the way each platform allows for policy creation and the permissions that each uses.  The paper ends with an examination of how each platform uses its policy system, from bootstraping to modifying the stack walk.

At the beginning of the paper, Nathaneal and David compare the number of reported major security vulnerabilities in the Java VM and the CLR since each had their official 1.0 release in January 1996 and January 2002 respectively.  Their data makes for an interesting graph, presented in their paper as Figure 1:

Java vs CLR major security vulnerabilities

Comments

  • Anonymous
    August 17, 2005
    In the real world, Java security matters most for applets in a browser or "sandboxed" applications, e.g. when I don't want a website trashing my hard drive.

    Please explain when security matters for .NET. This is something that has always eluded me. The standard Windows application model is to download and run code without any security restrictions, so why do I care if an application I downloaded in .NET runs in a sandbox? The time it matters is when websites start embedding .NET applets. I've never seen one other than sample code.





  • Anonymous
    August 17, 2005
    This would mean more, if .NET had not in fact any benefits from java. If .NET had come first, how would it be then?
  • Anonymous
    August 17, 2005
    In the real world, security is not limited to web pages or applets. Web applications are only of a very little portion. Anyways, java Applets never gained ground at all in any non-trivial, non-demo applications.

    It does not matter who comes first, java or .net. When java arrived, it also LIFTED the best concepts available then. And no wonder any new language/platform that comes up will be better than the current.
  • Anonymous
    August 17, 2005
    The comment has been removed
  • Anonymous
    August 17, 2005
    The comment has been removed
  • Anonymous
    August 17, 2005
    TO Mr. CONFUSED:
    So you claim it's OK that Java has vulnerabilities because it's run in the sandbox (thus it's justified), while it's not OK that .NET has not vulnerabilities because it's not run in the sandbox? Am I right?
  • Anonymous
    August 18, 2005
    The comment has been removed
  • Anonymous
    August 18, 2005
    Ecco un interessante relazione, proveniente dal mondo universitario, che svolge un'analisi sulla sicurezza...
  • Anonymous
    August 18, 2005
    That means CLR is safer than JWM, doesn't it?
  • Anonymous
    August 22, 2005

    1) Graphing any comparison of zero vs anything greater than zero is bad.

    2) Using the cumulative bugs makes it look worse becuase visually you see an ever increasing (getting worse) graph. Bugs per year would be better, broken down my area, or serverity would be nice too.

    3) A comparison plot of how many machines running each VM at the time, how many applications, etc would be a good reference. Does .net have no security violations because its rock solid or because no one cares yet?

    I haven't read the rest of the article yet, but it does not appear that the authors are being that objective about their hypothesis.
  • Anonymous
    August 29, 2005
    The comment has been removed
  • Anonymous
    January 19, 2007
    The comment has been removed