[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DotGNU]Microsoft's security blind spot

From: Rhys Weatherley
Subject: Re: [DotGNU]Microsoft's security blind spot
Date: Mon, 11 Feb 2002 09:31:14 +1000

Bill Lance wrote:

> This article by Bill Joy raises some questions in my
> mind.
> These security issues in C# specs are quite relevant
> to both the VRS and the SEE projects.  What do we need
> to know in order to design a sound sandbox around the
> Pnet implementation of C#, Java, and whatever else
> comes to be?

Bill Joy jumped to wild conclusions based on a minor section
in the C# specification.  C# has the ability to write unsafe
pointer code.  Which is compiled down to IL like everything else.

But Bill conveniently left out the important step:

The CLR has two modes of executing IL, called "Correct IL"
and "Verifiable IL".  In the first mode, anything goes,
including pointer arithmetic.  In the second mode, only
programs that can be verified to be safe can be executed.

Hence, if you use the unsafe pointer features in C#,
you won't be able to run the application unless the engine
is in "Correct IL" mode.

Right now, pnet only runs "Correct IL", but that's because
I haven't got an option for "Verifiable IL" on the command
line just yet.  All of the necessary support code is present.

Of course, there is the open question as to whether MS
has implemented the Correct/Verifiable boundary correctly.
If there is a "leak" between the two, then all is for naught.

Java has a similar issue: it separates applets and applications
into separate security policies.  If there is a "leak" between
these policies, then applets may be able to escape, even if
no pointer arithmetic is present.

Keep in mind that Bill Joy, a Sun employee, has a vested
interest in beating up minor issues in C# and making
them appear major.  He doesn't want people to use C#.
He wants them to stick with Java.

In reality, both the JVM and IL are just as secure/insecure
as each other.  Their vulnerabilities are in different places,
that's all.  Sun's JVM has the advantage that its code is
open for inspection, which MS doesn't have.  But we do.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]