.NET Security: Lessons Learned and Missed from Java
Nathanael Paul and David Evans
20th Annual Computer Security Applications Conference (ACSAC)
December 6-10, 2004.
Many systems execute untrusted programs in virtual machines (VMs) to
limit their access to system resources. Sun introduced the Java VM in
1995, primarily intended as a lightweight platform for execution of
untrusted code inside web pages. More recently, Microsoft developed the
.NET platform with similar goals. Both platforms share many design and
implementation properties, but there are key differences between Java
and .NET that have an impact on their security. This paper examines how
.NET's design avoids vulnerabilities and limitations discovered in Java
and discusses lessons learned (and missed) from Java's experience with
Keywords: Java, .NET, security, virtual machine security, policy.
Complete Paper (10 pages)