Java Vs Dot Net Security

About This Presentation

Title:

Java Vs Dot Net Security

Description:

Freeware Provided by Sun. Java Authentication and Authorization service (JAAS) ... Heavily relies on windows. Good Java. Good .Net. Cryptography. JAR allows ... – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 21

Provided by: nrat7

Learn more at: https://www.cs.odu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Java Vs Dot Net Security

1
Java Vs Dot Net Security
Presented By, Naveen Kumar Ratkal
2
Outline

CLR VS JVM
Java Byte Code and MSIL
Comparing the stacks
Major security vulnerabilities reported
Code Access Security
Policy Tool
Java Authentication and Authorization service
(JAAS)
Class file and Cs file
Summary
Choosing between Java and .Net

3
JVM vs. CLR

JVM designed for platform independence
Single language Java (?)
A separate JVM for each OS device
CLR designed for language independence
Multiple languages for development
C, VB, C, (J)
APL, COBOL, Eiffel, Forth, Fortran, Haskel, SML,
Mercury, Mondrian, Oberon, Pascal, Perl, Python,
RPG, Scheme, SmallScript,
Impressive usage of formal methods and
programming language research during development
Impressive extensions for generics and support
for functional languages underway
Underlying OS Windows (?)

4
CLR vs JVM
C
Managed C/C
Lots of other Languages
VB .Net
Java
MSIL
Byte Codes
CLR Security Runtime Services
JRE (JVM) Security Runtime Services
Windows OS
Mac
Unix
Linux
Win
Both are middle layers between an intermediate
language the underlying OS
5
Java Byte Code and MSIL

Java byte code (or JVML) is the low-level
language of the JVM.
MSIL (or CIL or IL) is the low-level language of
the .NET Common Language Runtime (CLR).
Superficially, the two languages look very
similar.

MSIL
ldloc.1
ldloc.2
add stloc.3

JVML iload 1 iload 2 iadd istore 3
6
Comparing the stacks
Struts
ASP.Net
JSP
Servlets
Visual Studio.net
Java
JDBC
ADO.NET
J2EE Class Library
Base Class Library
Java runtime
CLR
J2EE App Servers Websphere, Weblogic , Tomcat,
etc.
JMS
Apache
Win32, Unix, Linux
7
Major security vulnerabilities reported
One of the buy CVE-2000-1061 - execute arbitrary
commands via a malicious web page or email
8
Code Access Security

In Dot Net the evidences are
AppDirectory, Hash, Publisher, Site, Strong Name,
URL, and Zone.
In Java
- Codebase
- Signer
We shall see in detail codebase and signer
Dot NET has extended Javas stack walk design
with the Permission methods PermitOnly(),
Assert(), and Deny().

9
Ctnd..

Code base evidence can be URL, either web or
local, from where it is accessed.
Signer (effectively, the publisher of the code).
Specify the permission in the policy file.
Sign the jar files, if the policy file specifies
the permission only for signed jar files.
One can check the Manifest folder to see the
signatures.

10
Demo Process..
java -classpath "EXEC_CLASSPATH"
-Djava.security.manager -Djava.security.policy"a
ccess.policy" PermissionCheck access Without
permissions java -classpath "EXEC_CLASSPATH"
-Djava.security.manager -Djava.security.policy"a
ccess.policy" PermissionCheck delete Accessing
with permissions by signer jarsigner -verbose
-keystore DemoPub.keystore -storepass changeit
PermissionCheck.jar DemoPublisher java
-classpath "EXEC_CLASSPATH" -Djava.security.mana
ger -Djava.security.policy"access.policy"
PermissionCheck delete pause
11
Policy Tool

What is a policy tool ?
Uses
Freeware Provided by Sun

12
Java Authentication and Authorization service
(JAAS)

To verify that a user is a subject and granting
the user certain principals "who you are."
The JAAS authentication component provides the
ability to check who is currently executing Java
code, regardless of whether the code is running
as an application, an applet, a bean, or a
servlet.

13
Login Module

The login module receives information about the
user and authenticates the user, thereby
verifying that he or she is a valid subject.
These login modules are identified by a name in
a configuration file and then called by a
LoginContext class that JAAS provides.
Most of these modules expect to be run from an
application or on the command line, and thus to
be able to interact directly with a user.

14
Class file and Cs file

With almost every form we write a cs file which
handles the events.
dot class files does same thing in javas web
application which is places in the WEB-INF
classes folder.

15
Summary
Cryptography Good .Net Good Java
Heavily relies on windows All providers are to be signed by the CA, Arch dedicated to the US law
16
Cntd..
Code protection Good .Net Very Good Java
Code Signing Choice of strong names and publisher signing JAR allows multiple signers
Certificates Poor Default Functionality Solid and easy APIs
17
Cntd..
Secure Communication Fair .Net Very Good Java
Platform No support besides IIS, some samples available JSSE as a standard component of JDK
Web Services Up to date support of WSA Only supported by external vendors
18
Choosing between Java and .Net