Comparing Java and .NET security: Lessons Learned and Missed

Nathanael Paul and David Evans
Computers & Security, Volume 25, Issue 5

Abstract

Many systems execute untrusted programs in virtual machines (VMs) to mediate their access to system resources. Sun introduced the Java VM in 1995, primarily intended as a lightweight platform for executing untrusted code inside web pages. More recently, Microsoft developed the .NET platform with similar goals. Both platforms share many design and implementation properties, but there are key differences between Java and .NET that have an impact on their security. This paper examines how .NET's design avoids vulnerabilities and limitations discovered in Java and discusses lessons learned (and missed) from experience with Java security.

Keywords: Virtual machine security, Java security, .NET security, Security design principles, Bytecode verifier, Malicious code, Code safety

Paper

Full paper (13 pages): [PDF] [HTML]

Related Paper

This paper is an extended version of our ACSAC 2004 paper:
Nathanael Paul and David Evans. .NET Security: Lessons Learned and Missed from Java . Twentieth Annual Computer Security Applications Conference (ACSAC 2004). December 6-10, 2004, Tucson, Arizona. (PDF, 10 pages)

David Evans
University of Virginia
Department of Computer Science
 evans@virginia.edu