Java Vs Dot Net Security

Java Vs .Net

Presented By,

Naveen Kumar Ratkal

Outline


CLR VS JVM


Java Byte Code and MSIL


Comparing the stacks


Major security vulnerabilities reported


Java Authentication and Authorization service (JAAS)


Class file and Cs file


Security features Comparison


Java or .Net

JVM vs. CLR

JVM designed for platform independence

Single language: Java (?)

A separate JVM for each OS & device

CLR designed for

language independence

Multiple languages for development

C++, VB, C#, (J#)

APL, COBOL, Eiffel, Forth, Fortran, Haskel, SML, Mercury,
Mondrian, Oberon, Pascal, Perl, Python, RPG, Scheme, SmallScript,
…

Impressive usage of formal methods and programming language
research during development

Underlying OS: Windows (?)


CLR vs JVM



C#

Managed

C/C++

Lots of other

Languages

VB

.Net

CLR

Security

Runtime Services

MSIL

Windows OS

Java

JRE (JVM)

Security

Runtime Services

Byte Codes

Mac

Unix

Linux

Win

Both are ‘middle layers’ between an intermediate

language & the underlying OS

Java Byte Code and MSIL


Java byte code (or JVML) is the low
-
level language of the JVM.

MSIL (or CIL or IL) is the low
-
level language of the .NET Common
Language Runtime (CLR).

Superficially, the two languages look very similar.

JVML:


iload 1


iload 2


iadd


istore 3

MSIL:


ldloc.1


ldloc.2


add


stloc.3


VB

C++

C#

Perl

Python

…

Visual Studio.net

Win32

MSMQ, COM+, IIS,

WMI, AD, ADAM,


Indexing, UDDI, etc.

CLR

Base Class Library

ADO.NET

ASP.Net

Win32, Unix, Linux

JMS

Apache

J2EE App Servers

Websphere, Weblogic , Tomcat, etc.

Java runtime

J2EE Class Library

Comparing the stacks

JDBC

Servlets

JSP

Struts

BEA Weblogic

Webshpere Studio

Eclipse

…

Java

Major security vulnerabilities reported


One of the buy CVE
-
2000
-
1061
-

execute arbitrary commands via a malicious web
page or email

Java Authentication and
Authorization service (JAAS)


T
o verify that a user is a subject and granting the user certain
principals; "who you are."




The JAAS authentication component provides the ability to check
who is currently executing Java code, regardless of whether the code
is running as an application, an applet, a bean, or a servlet.

Class file and Cs file



With almost every form, we write a cs file which handles the
events.




.class files does same thing in Java’s web application which is
placed in the WEB
-
INF classes folder.

Security features Comparison

Cryptography

Good .Net

Good Java

Heavily relies on
windows

All providers are to be
signed by the CA,
Architecture dedicated
to the US law

Secure Communication

Fair .Net

Very Good Java

Platform


No support besides IIS,
some

samples available



JSSE as a standard
component of

JDK


Web Services

Up to date support of WSA


Only supported by external

vendors

Cntd..

Choosing between Java and .Net

The ultimate choice usually depends not on technical superiority, but
on:


cultural/”religious”/political preferences

Skill set of your developers

Customer preference

Vendor relations



References

Websites :

http://vsbabu.org/mt/archives/2003/09/05/slashdot_java_vs_net.html

http://www.cgisecurity.com/lib/J2EEandDotNetsecurityByGerMulcahy.pdf

http://diuf.unifr.ch/softeng/seminars/SE2003/buchmann/htmlpaper/index.html


Book :

Java Security
-

By oaks