.NET and Java security

Someone recently forwarded me an interesting paper from the Annual Computer Security Applications Conference that compares the CLR security model with Java’s… I thought it was an interesting read so I thought I’d share it with you.

.NET Security: Lessons Learned and Missed from Java

Nathanael Paul David Evans

University of Virginia

Department of Computer Science

PS – Because I am sitting in a security training class right now that Michael Howard, I thought I’d plug is blog on the issue What about .NET vs Java Security?

Comments

• Anonymous
  December 14, 2004
  What a poor paper.
  
  My favourite: ".NET [combines some opcodes into one and thus] has more instruction opcodes available ... enabling applications to ... avoid security vulnerabilities"
  
  Also "It is too soon to judge whether the performance advantages of supporting tail outweigh the additional security risks associated with the added complexity." Maybe it is too soon to write this paper at all? Let Click-Once-Deployment become popular and have people attack it. Then we may know.
  
  The authors realize that "The GAC acts as a trusted repository, similar to the bootclasspath in that an assembly within the GAC will be fully trusted ... If an attacker can modify an assembly in the GAC, then the attacker may have full control of the machine." Nevertheless "the absolute trust of classes on the [JVM's] bootclasspath" is counted as a legacy security risk of Java. Doh. Anyone who is able to modify parts of the runtime on the local machine can break it.
  
  I have to say, I'm way more versatile on the Java platform and I count that as a plus for .NET: I'm often willing to believe that MSFT has done things better (the green grass, you know). I just didn't learn about them in this paper.