Comparing Java and .NET security: Lessons learned and missed

Computers and Security

Volumn 25, Issue 5, 2006, Pages 338-350

  Paul, Nathanael ^a   Evans, David ^a  

^a University of Virginia   (United States)

Author keywords

.NET security; Bytecode verifier; Code safety; Java security; Malicious code; Security design principles; Virtual machine security

Indexed keywords

COMPUTER PROGRAMMING; JAVA PROGRAMMING LANGUAGE; VIRTUAL REALITY; WEBSITES;

.NET SECURITY; BYTECODE VERIFIER; CODE SAFETY; JAVA SECURITY; MALICIOUS CODE; SECURITY DESIGN PRINCIPLES; VIRTUAL MACHINE SECURITY;

SECURITY OF DATA;

EID: 33746687945     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2006.02.003     Document Type: Article

References (53)

1. AlephOne. Smashing the stack for fun and profit. Phrack 7 49 (November 1996)
2. Baier D. Security Bug in .NET forms authentication.
3. Clear T. Design and usability in security systems - daily life as a context of use?. ACM SIGCSE Bulletin 4 34 (December 2002)
4. Cook WR. A proposal for making Eiffel type-safe. In: Third European conference on object-oriented programming (ECOOP); July 1989.
5. Core Security Technologies Advisory. Snort TCP stream reassembly integer overflow vulnerability.
6. Dean D., Felten E.W., and Wallach D.S. Java security: from HotJava to Netscape and beyond. IEEE Symposium on Security and Privacy (May 1996)
7. Directx 9.0 SDK Update. Sound permission.
8. ECMA International. Standard ECMA-335: common language infrastructure. 2nd ed. ; December 2002.
9. Erlingsson Úlfar. The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University Department of Computer Science (Technical Report 2003-1916); 2003.
10. Evans D., and Twyman A. Policy-directed code safety. IEEE Symposium on Security and Privacy (May 1999)
11. Farkas S. List of bugs that are fixed in the .NET Framework 1.1 Service Pack 1 (SP1).
12. Freeman A., and Jones A. Programming .NET security (June 2003), O'Reilly
13. Gong L., Ellison G., and Dageforde M. Inside Java 2 platform security. 2nd ed. (June 2003), Sun Microsystems
14. Hopwood D. Java security bug (applets can load native methods). Risks Forum (March 1996)
15. LaDue M. A collection of increasingly hostile applets.
16. LaMacchia B.A., Lange S., Lyons M., Martin R., and Price K.T. NET framework security (April 2002), Addison-Wesley
17. Last Stage of Delirium Research Group. Java and virtual machine security vulnerabilities and their exploitation techniques.
18. Leroy X. Java bytecode verification: an overview. Computer aided verification vol. 2101 (2001), Springer Verlag p. 265-85
19. Lewin Mark. Email communication; January 2004.
20. Lindholm T., and Yellin F. The Java virtual machine specification. 2nd ed. (April 1999), Addison-Wesley
21. McGraw G., and Felten E.W. Securing Java (January 1999), John Wiley and Sons
22. Meier J.D., Mackman A., Dunner M., and Vasireddy S. Building secure ASP .NET applications: authentication, authorization, and secure communication.
23. Meijer E., and Gough J. Technical overview of the common language runtime.
24. Microsoft Corporation. Microsoft portable executable and common object file format specification.
25. Microsoft Corporation. Security briefs: strong names and security in the .NET framework.
26. Microsoft Corporation. Technology overview.
27. Microsoft Visual Studio. Additional security considerations in Windows forms.
28. Mitre Corporation. Common vulnerabilities and exposures (version 20040901).
29. Netscape Communications Corporation. Netscape object signing.
30. Pierce Benjamin C. Bounded quantification is undecidable. In: ACM SIGPLAN symposium on principles of programming languages (POPL); January 1992.
31. Pilipchuk D. Java vs. .NET security.
32. Pynnonen J. Vulnerabilities in Microsoft's Java implementation.
33. Saltzer Jerome, Schroeder Michael. The protection of information in computer systems. In: Fourth ACM symposium on operating system principles; October 1973 [revised version in Communications of the ACM, July 1974].
34. Stutz D., Neward T., and Shilling G. Shared source CLI essentials (March 2003), O'Reilly
35. Stutz D. The Microsoft shared source CLI implementation.
36. Sun Microsystems. JSR 202: Java Class File Specification Update, .
37. Sun Microsystems. New Java SE Mustang Feature: Type Checking Verifier, .
38. Sun Microsystems. Chronology of security-related bugs and issues (November 2002).
39. Sun Microsystems. Java 2 platform, standard edition: 1.4.2 API specification.
40. Sun Microsystems. Java 2 SDK 1.4.2 SCSL source.
41. Sun Microsystems. Java: the first 800 days.
42. Sun Microsystems. Permissions in the Java 2 SDK.
43. Sun Microsystems. Sun alert notifications.
44. Sun Microsystems. Sun security bulletins article 218.
45. Szor P. Tasting Donut.
46. The DotGNU Project. DotGNU.
47. The Mono Project. What is Mono?.
48. .NET framework developer's guide. Permissions.
49. Viega J., and McGraw G. Building secure software (September 2001), Addison-Wesley Pub. Co.
50. Walker David. A type system for expressive security policies. In: ACM SIGPLAN symposium on principles of programming languages (POPL); January 2000.
51. Wallach D., and Felten E. Understanding Java stack inspection. IEEE Symposium on Security and Privacy (May 1998)
52. Wallach Dan, Balfanz Dirk, Dean Drew, Felten Edward. Extensible security architectures for Java. In: Symposium on operating systems principles; October 1997.
53. Yellin Frank. Low level security in Java. In: Fourth international WWW conference; December 1995.