B
B
Huge security hole in .NET
Posted by xper on 04 Feb 2005 - 12:37 CET | There are 1 comment for
this story. Previous Post | Frontpage | Next Post
http://www.msfn.org/comments.php?shownews=11766
James Gosling has called Microsoft's decision to support C and C++ in
the common language runtime in .NET one of the "biggest and most
offensive mistakes that they could have made"
James Gosling, who is currently CTO of Sun's Developer Products group
and the father of the Java programming language, has called
Microsoft's decision to support C and C++ in the common language
runtime in .Net one of the "biggest and most offensive mistakes that
they could have made" as part of his speech to developers at an event
in Sydney earlier this week. He further commented that by including
the two languages into Microsoft's software development platform, the
company "has left open a security hole large enough to drive many,
many large trucks through".
According to Gosling, the security hole is based upon the fact that
several features of the older languages are ambivalent with regards to
security: "C++ allowed you to do arbitrary casting, arbitrary adding
of images and pointers, and converting them back and forth between
pointers in a very, very unstructured way.
"If you look at the security model in Java and the reliability model,
and a lot of things in the exception handling, they depend really
critically on the fact that there is some integrity to the properties
of objects. So if somebody gives you an object and says 'This is an
image', then it is an image. It's not like a pointer to a stream,
where it just casts an image," said Gosling.
Microsoft developer evangelist Charles Sterling didn't entirely
disagree with Gosling's comments, but he sought to clarify the issue
with .NET's security. Stirling pointed out that .NET defines different
sorts of code. "Managed" code is code that is executed under the
control of the .NET framework. New languages such as C# and Visual
Basic.NET only produce managed code.
Full story: uk.builder.com
http://uk.builder.com/programming/windows/0,39026618,39235857,00.htm
Posted by xper on 04 Feb 2005 - 12:37 CET | There are 1 comment for
this story. Previous Post | Frontpage | Next Post
http://www.msfn.org/comments.php?shownews=11766
James Gosling has called Microsoft's decision to support C and C++ in
the common language runtime in .NET one of the "biggest and most
offensive mistakes that they could have made"
James Gosling, who is currently CTO of Sun's Developer Products group
and the father of the Java programming language, has called
Microsoft's decision to support C and C++ in the common language
runtime in .Net one of the "biggest and most offensive mistakes that
they could have made" as part of his speech to developers at an event
in Sydney earlier this week. He further commented that by including
the two languages into Microsoft's software development platform, the
company "has left open a security hole large enough to drive many,
many large trucks through".
According to Gosling, the security hole is based upon the fact that
several features of the older languages are ambivalent with regards to
security: "C++ allowed you to do arbitrary casting, arbitrary adding
of images and pointers, and converting them back and forth between
pointers in a very, very unstructured way.
"If you look at the security model in Java and the reliability model,
and a lot of things in the exception handling, they depend really
critically on the fact that there is some integrity to the properties
of objects. So if somebody gives you an object and says 'This is an
image', then it is an image. It's not like a pointer to a stream,
where it just casts an image," said Gosling.
Microsoft developer evangelist Charles Sterling didn't entirely
disagree with Gosling's comments, but he sought to clarify the issue
with .NET's security. Stirling pointed out that .NET defines different
sorts of code. "Managed" code is code that is executed under the
control of the .NET framework. New languages such as C# and Visual
Basic.NET only produce managed code.
Full story: uk.builder.com
http://uk.builder.com/programming/windows/0,39026618,39235857,00.htm