100 likes | 230 Vues
Comparing Java and .Net Security: Lessons Learned and Missed. - Nathanael Paul, David Evans Presented by Dan Frohlich. Overview. Vulnerability History. Architecture. Instruction Sets. Permissions. Policies. Enforcement. Psychological Acceptability. Questions?. Vulnerability History.
 
                
                E N D
Comparing Java and .Net Security: Lessons Learned and Missed - Nathanael Paul, David Evans Presented by Dan Frohlich
Overview • Vulnerability History. • Architecture. • Instruction Sets. • Permissions. • Policies. • Enforcement. • Psychological Acceptability. • Questions?
Vulnerability History • Is the .Net architecture more secure? • Did we learn something from Java?
Most Java vulnerabilities occur before the VM executes code. • Class Loader + Verifier vulnerabilities account for the majority of Java vulnerabilities
Instruction Sets • Object creation in Java requires 3 operations v.s. 1 op in MSIL. • Single point of verification actually simplifies verification. • Java exception handling pushes return addresses to stack, making control flow hard to verify. • .Net’s leave op uses exception. • Reducing complex instructions in MSIL simplifies the verification code. • This should lead to fewer flaws in the verifier.
Permissions. • .Net provides finer permission granularity overall. • Both design permissions around dangerous APIs rather than critical resources. • Dangerous since granting permissions may grant unexpected capabilities. • Neither supports complete mediation. • May be provided by frameworks at significant performance costs.
Policies. • Java’s Permissive (Union) model • A user’s permission file may not contain all permissions available to the user. • Permissions may be made not be made more restrictive. • .Net’s Restrictive (Intersection) model is more flexible and complex. • Follows fail-safe defaults.
Enforcement • Reference Monitor used in Both cases to satisfy complete mediation principal. • Java’s Security Manager can be overridden. • More flexible than .Net but makes type safety exploits easy.
Psychological Acceptability • Both Java and .Net have extensible security policies which are difficult to configure and understand. • Security exceptions may lead users to grant full trust if an application is critical.