1 / 20

Java Vs Dot Net Security

Java Vs Dot Net Security. Presented By, Naveen Kumar Ratkal. Outline. CLR VS JVM Java Byte Code and MSIL Comparing the stacks Major security vulnerabilities reported Code Access Security Policy Tool Java Authentication and Authorization service (JAAS) Class file and Cs file

gratia
Télécharger la présentation

Java Vs Dot Net Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Java Vs Dot Net Security Presented By, Naveen Kumar Ratkal

  2. Outline • CLR VS JVM • Java Byte Code and MSIL • Comparing the stacks • Major security vulnerabilities reported • Code Access Security • Policy Tool • Java Authentication and Authorization service (JAAS) • Class file and Cs file • Summary • Choosing between Java and .Net

  3. JVM vs. CLR • JVM designed for platform independence • Single language: Java (?) • A separate JVM for each OS & device • CLR designed for language independence • Multiple languages for development • C++, VB, C#, (J#) • APL, COBOL, Eiffel, Forth, Fortran, Haskel, SML, Mercury, Mondrian, Oberon, Pascal, Perl, Python, RPG, Scheme, SmallScript, … • Impressive usage of formal methods and programming language research during development • Impressive extensions for generics and support for functional languages underway • Underlying OS: Windows (?)

  4. CLR vs JVM C# VB .Net Managed C/C++ Lots of other Languages Java MSIL Byte Codes CLR Security Runtime Services JRE (JVM) Security Runtime Services Windows OS Mac Win Unix Linux Both are ‘middle layers’ between an intermediate language & the underlying OS

  5. Java Byte Code and MSIL • Java byte code (or JVML) is the low-level language of the JVM. • MSIL (or CIL or IL) is the low-level language of the .NET Common Language Runtime (CLR). • Superficially, the two languages look very similar. MSIL: ldloc.1 ldloc.2 add stloc.3 JVML: iload 1 iload 2 iadd istore 3

  6. VB C++ C# Perl Python … … Eclipse Webshpere Studio Win32 MSMQ, COM+, IIS, WMI, AD, ADAM, Indexing, UDDI, etc. BEA Weblogic Comparing the stacks Struts ASP.Net JSP Servlets Visual Studio.net Java JDBC ADO.NET J2EE Class Library Base Class Library Java runtime CLR J2EE App Servers Websphere, Weblogic , Tomcat, etc. JMS Apache Win32, Unix, Linux

  7. Major security vulnerabilities reported One of the buy CVE-2000-1061 - execute arbitrary commands via a malicious web page or email

  8. Code Access Security • In Dot Net the evidences are • AppDirectory, Hash, Publisher, Site, Strong Name, URL, and Zone. • In Java • - Codebase • - Signer • We shall see in detail codebase and signer • Dot NET has extended Java’s stack walk design with the Permission methods PermitOnly(), Assert(), and Deny().

  9. Ctnd.. • Code base evidence can be URL, either web or local, from where it is accessed. • Signer (effectively, the publisher of the code). • Specify the permission in the policy file. • Sign the jar files, if the policy file specifies the permission only for signed jar files. • One can check the Manifest folder to see the signatures.

  10. Demo Process….. java -classpath "%EXEC_CLASSPATH%" -Djava.security.manager -Djava.security.policy=="access.policy" PermissionCheck access Without permissions java -classpath "%EXEC_CLASSPATH%" -Djava.security.manager -Djava.security.policy=="access.policy" PermissionCheck delete Accessing with permissions by signer jarsigner -verbose -keystore DemoPub.keystore -storepass changeit PermissionCheck.jar DemoPublisher java -classpath "%EXEC_CLASSPATH%" -Djava.security.manager -Djava.security.policy=="access.policy" PermissionCheck delete pause

  11. Policy Tool • What is a policy tool ? • Uses • Freeware Provided by Sun

  12. Java Authentication and Authorization service (JAAS) • To verify that a user is a subject and granting the user certain principals; "who you are." • The JAAS authentication component provides the ability to check who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.

  13. Login Module • The login module receives information about the user and authenticates the user, thereby verifying that he or she is a valid subject. • These login modules are identified by a name in a configuration file and then called by a LoginContext class that JAAS provides. • Most of these modules expect to be run from an application or on the command line, and thus to be able to interact directly with a user.

  14. Class file and Cs file • With almost every form we write a cs file which handles the events. • dot class files does same thing in java’s web application which is places in the WEB-INF classes folder.

  15. Summary

  16. Cntd..

  17. Cntd..

  18. Choosing between Java and .Net • The ultimate choice usually depends not on technical superiority, but on: • cultural/”religious”/political preferences • Skill set of your developers • Customer preference • Vendor relations

  19. References Websites : http://vsbabu.org/mt/archives/2003/09/05/slashdot_java_vs_net.html http://www.cgisecurity.com/lib/J2EEandDotNetsecurityByGerMulcahy.pdf http://diuf.unifr.ch/softeng/seminars/SE2003/buchmann/htmlpaper/index.html Book : Java Security - By oaks

  20. Any Questions ???

More Related