NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secure Programming> 2004-q4

Re: .Net and security

From: Torben Nehmer (torbennehmer.net)
Date: Wed Nov 24 2004 - 01:17:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

- --On Dienstag, 23. November 2004 13:12 -0500 Tim Hoolihan
<tim.hoolihangmail.com> wrote:

>> 3) Also are there better security advantages using J# , C# over VB in
>> .Net?
> All of these languages are compiled into the same language (read up on
> the CLR), so in theory they are each as secure as each other.
> However, I would want to know more about how each language handles
> variable typing to be certain. I can only speak to C# on this, but it
> requires explicit conversions and seems to have a lot of safegaurds.

As far as I understand the CLR specification, this is a requirement for all
languages bound to it. There have been several articles on the net about
VB# being far more strict then plain-old VB was, making the transition for
the average VB-Programmer a lot more difficult then, say, from C++ to C#.

As for J#, I would suspect the same.

The really interesting point here is the quality of the compilers, I think.

I have worked with the .NET C# Compiler from Microsoft for quite some time
now, and I'm a bit impressed how good it is able to find common coding
errors like, as you said, missed typecasts etc. So, if you are talking
about VB# or J#, this should be one point to consider. A compiler, which
doesn't allow unsecure code, is a great help, independantly from the
Language actually in use.

Apart from this, there is another point. Much common errors are intercepted
by the .NET runtime while your application is executing, resulting in
Exceptions, which are definitly independant of the language you actually
used to create your code.

So, generally speaking, I do think that .NET is a good advancement in
secure programming out-of-the-box. On the other hand, the centralized
framework makes off a good single point of failure, and I have no idea how
many loopholes still remain in the Microsoft CLR. Maybe the open source
Mono project might be of interest here, especially in high-security
environments. (Besides, the Mono CLR has the reputation of beeing more
performant than the Microsoft one.)

What I have not yet looked into is the Security Framework .NET has in it.
You can set a whole lot of permissions for code being executed on a given
Machine depending on another whole lot of sources, where the application is
coming from. Just copying a applicatoin from a local hard drive to a
network share in your little private LAN at home might make an application
unusable without changing permissions. I think the Socket Connection to
MySQL is causing this, but I'm not sure.

Live long and Prosper!
Torben Nehmer

- --
Torben Nehmer, Guenzburg, Bavaria, Germany
http://www.nathan-syntronics.de, mailto:torbennehmer.net
PGP Public Key: https://www.link-m.de/pgp/t.nehmer.asc
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQaQ1gCT4eCp+neRWEQK3HQCgpQ7s6vIte83NqrQr6LWKeWaGvg4AoLWs
SXC2H1DQ5PuluCUijMM67FPW
=KDQf
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]