On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet
59 TalkBacks

By Renai LeMay
Posted on ZDNet News: Feb 4, 2005 7:23:00 PM

James Gosling, CTO of Sun's Developer Products group and the father of the Java programming language, has called Microsoft's decision to support C and C++ in the common language runtime in .Net one of the "biggest and most offensive mistakes that they could have made" in his speech to developers at an event in Sydney earlier this week. He further commented that by including the two languages into Microsoft's software development platform, the company "has left open a security hole large enough to drive many, many large trucks through."

According to Gosling, the security hole is based upon the fact that several features of the older languages are ambivalent with regards to security: "C++ allowed you to do arbitrary casting, arbitrary adding of images and pointers, and converting them back and forth between pointers in a very, very unstructured way.

"If you look at the security model in Java and the reliability model, and a lot of things in the exception handling, they depend really critically on the fact that there is some integrity to the properties of objects. So if somebody gives you an object and says 'This is an image', then it is an image. It's not like a pointer to a stream, where it just casts an image," said Gosling.

Microsoft developer evangelist Charles Sterling didn't entirely disagree with Gosling's comments, but he sought to clarify the issue with .NET's security. Stirling pointed out that .NET defines different sorts of code. "Managed" code is code that is executed under the control of the .NET framework. New languages such as C# and Visual Basic.NET only produce managed code.

However, Gosling is concerned about "unsafe" code, which is produced by traditional languages like C and C++. Unsafe code is old code that does not strictly follow the rules of type safety that .NET defines, and this sort of code requires additional permissions to execute. According to Sterling, "you as a developer take it upon yourself" to utilize unsafe code in your .NET applications.

An important point is that the so-called unsafe code does have the potential to run faster than "managed" code due to some languages' ability to include machine-specific features that may sacrifice platform portability for speed. Sterling acknowledged this as he said that the choice between the two platforms is all about risk: if developers are willing to "accept the risk" of unsafe code then they may gain access to "the best performance system on the planet."

Sterling also gave the debate a reality check when asked of his personal knowledge of .NET developers actually implementing C or C++ code under a .NET framework. Of the approximately one thousand developers that Sterling knows, he could only recall one directly developing under the C++ code. Whether this indicates an unwillingness on the part of developers to utilize code that is unsafe is not clear.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 59 Talkback(s)
security holes in .Net
Actually there are huge holes in .Net plateform, but it is not becouse of C++ and it's pointer and casting,simply becouse you can block all unsafe code to call your code(assembly)and bye c++ or c. But... (Read the rest)
Posted by: nelson123 Posted on: 03/02/05 You are currently: a Guest | | Terms of Use
FUD FUD FUD  serpentmage | 02/04/05
Interesting to see who falls for this FUD! (NT)  NonZealot | 02/04/05
Look below  rapson | 02/04/05
I think there are many compilers that compile to java bytecode  hipparchus2001 | 02/04/05
Gosling the Evangelist  da_king | 02/04/05
Yep  rapson | 02/04/05
Yeah..  d_jedi | 02/06/05
aiming for a new level  hipparchus2001 | 02/04/05
Not quite  NonZealot | 02/04/05
Yes, we know Microsoft {insert any one of their products} is unsafe!  Xunil_Sierutuf | 02/04/05
RTFA  vdraken | 02/04/05
Vdraken, Are You Hitting The Bottle Early Today?  itanalyst | 02/04/05
Not surprised you are confused!  vdraken | 02/04/05
That's Right....Keep Telling Yourself That.....  itanalyst | 02/04/05
This has nothing to do with MS  Anti_Zealot | 02/04/05
BUWAHAHAHAH!!!! Thanks For Making My Weekend ZDNet!!!!  itanalyst | 02/04/05
RTFA  vdraken | 02/04/05
In related news, huge security hole in Linux  NonZealot | 02/04/05
If That Was An Attempt At Humor, It Was Lame.....  itanalyst | 02/04/05
You mean to tell me...  vdraken | 02/04/05
and that sums up the posts on zdnet talkback :P (nt)  linuxoverwindows | 02/05/05
And..  vdraken | 02/04/05
I'm curious...  Anti_Zealot | 02/04/05
Hello Gosling? Remember me?  vdraken | 02/04/05
But if you wrote your whole OS in java, no need for JNI.  hipparchus2001 | 02/04/05
But Solaris is written all in C, right?  the_fiddler_on_the_roof | 02/05/05
I think so  Anti_Zealot | 02/05/05
And if you wrote your whole OS in C#  d_jedi | 02/06/05
That would be more applicable to an embedded systems applicatiion.  B.O.F.H. | 02/06/05
Vdraken = Fledgling No_Ax In Training....  itanalyst | 02/04/05
LOL. Try again.  vdraken | 02/04/05
Your Feeble Attempt To Sound Knowlegeable Has Fallen Flat On Its Face  itanalyst | 02/04/05
Ah  rapson | 02/04/05
Maybe I can and maybe not.  The King's Servant | 02/04/05
I can answer your PS  NonZealot | 02/04/05
Also...  rapson | 02/05/05
Don't bother asking  billywill | 02/04/05
Slashdot surprised me  NonZealot | 02/05/05
Message has been deleted.  bjensen4@... | 02/05/05
Mr. Gosling misses the point by more trucks that can fit that hole  FirstNLastN | 02/04/05
but the bulk of programmers are not of a high level  hipparchus2001 | 02/04/05
Here's a wrench for the works  seosamh_z | 02/05/05
One of my customers had to implement  bjbrock | 02/04/05
Pitiful implementation  NonZealot | 02/04/05
Bad implementation alright  seosamh_z | 02/05/05
Yes, I was actuall thinking of smart client deployment  NonZealot | 02/05/05
There's always severals ways...  seosamh_z | 02/06/05
J. Gosling can K. M. A. and keep his FUD  Anti_Zealot | 02/04/05
java isn't slow  hipparchus2001 | 02/04/05
OK...  Anti_Zealot | 02/04/05
Microsoft, if I were you,  Grayson Peddie | 02/04/05
that's the spirit!  hipparchus2001 | 02/04/05
Gosling knows better than that...  John CarrollZDNet Moderator | 02/04/05
HAHAHA!  billywill | 02/05/05
Make IT...  pj-xmesh | 02/05/05
Leave poor Gosling alone  FilledOut | 02/05/05
With respect . . .  Sheeva | 02/08/05
Mr. Gosling didn?t need to step so low  msantanna | 02/09/05
security holes in .Net  nelson123 | 03/02/05

What do you think?

Essential Topics Click Here

advertisement
Click Here
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here