Comparing Java and .NET Security

It's been a while since I've last seen a comparison of Java and .NET securityNathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned and Missed.

In their paper, Nathaneal and David take a bottom up approach to examining the security models of each platform.  They start with the opcodes that make up the instruction set of each virtual machine, and examine them both from an instruction set design perspective as well as from a verification perspective.  They use the SSCLI to compare verifier implementations between the CLR and Java.  From there, they look at the way each platform allows for policy creation and the permissions that each uses.  The paper ends with an examination of how each platform uses its policy system, from bootstraping to modifying the stack walk.

At the beginning of the paper, Nathaneal and David compare the number of reported major security vulnerabilities in the Java VM and the CLR since each had their official 1.0 release in January 1996 and January 2002 respectively.  Their data makes for an interesting graph, presented in their paper as Figure 1:

Java vs CLR major security vulnerabilities