[ISN] Huge security hole in .NET: Java creator

InfoSec News isn at c4i.org
Fri Feb 4 05:45:26 EST 2005


By Renai LeMay
ZDNet Australia 
04 February 2005 

Java creator James Gosling this week called Microsoft's decision to
support C and C++ in the common language runtime in .NET one of the
"biggest and most offensive mistakes that they could have made".

Gosling, who is currently CTO of Sun's Developer Products group, made
the comments as part of his speech to developers at an event in Sydney
earlier this week. He further commented that by including the two
languages into Microsoft's software development platform, the company
"has left open a security hole large enough to drive many, many large
trucks through".

According to Gosling, the security hole is based upon the fact that
several features of the older languages are ambivalent with regards to
security: "C++ allowed you to do arbitrary casting, arbitrary adding
of images and pointers, and converting them back and forth between
pointers in a very, very unstructured way.

"If you look at the security model in Java and the reliability model,
and a lot of things in the exception handling, they depend really
critically on the fact that there is some integrity to the properties
of objects. So if somebody gives you an object and says 'This is an
image', then it is an image. It's not like a pointer to a stream,
where it just casts an image," said Gosling.

Microsoft developer evangelist Charles Sterling didn't entirely
disagree with Gosling's comments, but he sought to clarify the issue
with .NET's security. Stirling pointed out that .NET defines different
sorts of code. "Managed" code is code that is executed under the
control of the .NET framework. New languages such as C# and Visual
Basic.NET only produce managed code.

However, Gosling is concerned about "unsafe" code, which is produced
by traditional languages like C and C++. Unsafe code is old code that
does not strictly follow the rules of type safety that .NET defines,
and this sort of code requires additional permissions to execute.  
According to Sterling, "you as a developer take it upon yourself" to
utilise unsafe code in your .NET applications.

An important point is that the so-called unsafe code does have the
potential to run faster than "managed" code due to some languages'
ability to include machine-specific features that may sacrifice
platform portability for speed. Sterling acknowledged this as he said
that the choice between the two platforms is all about risk: if
developers are willing to "accept the risk" of unsafe code then they
may gain access to "the best performance system on the planet".

Sterling also gave the debate a reality check when asked of his
personal knowledge of .NET developers actually implementing C or C++
code under a .NET framework. Of the approximately one thousand
developers that Sterling knows, he could only recall one directly
developing under the C++ code. Whether this indicates an unwillingness
on the part of developers to utilise code that is unsafe is notclear.

More information about the ISN mailing list