microsoft.net initiative keith bessette hardik davé jaladhi mehta cse 333 fall 2002
Post on 21-Dec-2015
227 views
TRANSCRIPT
Microsoft .NET Initiative
Keith Bessette
Hardik Davé
Jaladhi Mehta
CSE 333CSE 333
Fall 2002Fall 2002
• What is .NET ?• History and Evolution of .NET• What is .NET made up of ?• Scope of the paper
– .NET languages and Java– Database Connectivity using .NET.– Security Issues Concerning .NET and Java– Interoperability: Middleware and Languages
Introduction and Overview
• Supported Languages in .NET
• C# Background
.NET Languages
• Class Hierarchies– Both have single rooted class hierarchies System.Object and
Java.lang.object
– Both classes have methods sharing some similarities and difference
• Execution Environment– JAVA compiled to bytecodes which are interpreted or natively
compiled and run in managed exec envt JVM
– C# code gets compiled to IL which runs in CLR C# code is never interpreted, it is always natively compiled C#’s IL is more type neutral
C# vs. Java – Differences and Similarities
• Object Creation– In JAVA objects are Heap based
– In C# objects are Heap based as well as Stack based (called value types)
• NameSpaces– In JAVA packages reflect the physical directory layout
– C# has complete separation of physical packaging and logical naming
C# vs. Java – Differences and Similarities(Continued)
• Access Modifiers
C# vs. Java – Differences and Similarities(Continued)
C# access modifier Java access modifier
Private Private
Public public
Internal protected
protected N/A
internal protected N/A
• Serialization and Documentation• C# supports XML format as well as binary format for serialization while Java only supports binary format by default.
• JAVA uses Javadoc while C# uses XML for documentation
• Deterministic object cleanup– C# supports dispose() method
– C++ like destructors without memory allocation woes Best of both worlds
• Pointers and unsafe code– C# can have pointers when it is running in unsafe mode
– Program must have full trust granted earlier
– Unsafe keyword, /unsafe compiler switch
– Fixed keyword to avoid the garbage collector moving the variable during the mark and collect algorithm phase
C# vs. Java – Differences and Similarities(Continued)
• Platform interoperability– How C# and JAVA run on various platforms
– JAVA is a single language platform
– C# supports multiple languages as long as they conform to CLS
– JAVA has better portability for various o/s and platforms
– C# currently runs on only windows platforms
– .NET platform files complied to PE files
C# and interoperability
• Standards Interoperability– How both languages access standards like
database systems, graphics library, etc.?– C# and JAVA both don’t scale too well due to
Microsoft and Sun’s business motivations– C# has been submitted to ECMA to derive to a
standard– .NET is sort of an open platform
C# and interoperability
• Language interoperability– Level and ease of integration with other
languages– JAVA supports language interoperability
through JNI, CORBA– .NET has language independence– .NET supports any languages as long as they
conform to CLS and CTS
C# and interoperability
• Database connectivity in .NET– Different APIs for connecting to the Database.– JDBC was introduced by Sun Microsystems in
1996 – History of ADO and JDBC.
Database Connectivity
• Three Level Architecture
• XML and DataSet as objects of interaction
ADO.NET Architecture
Business Business TierTier
Data Data TierTier
Presentation TierPresentation Tier
Windows Forms
Web Forms
Business to Business
Data Object (Class)
DataSet
DataSetDataSet
InternetInternetIntranetIntranet
Data Data AdapterAdapterData Data AdapterAdapter
(BizTalk, for example)
XML
MyApp.Exe
IE
• Three Layers of Architecture
• RecordSets,
Statements – Connection
and DriverManager
ADO.NET Architecture
• Primitive offline DB access using ResultSets in JDBC
• Complete offline access in .NET using DataSets
Offline DB Access
DataSet
DataTableCollections
DataRowcollection
DataColumncollection
ConstraintCollection
DataRelationCollection
DataTable
Fig 4.3 ADO.NET DataSet
• ADO.NET’s DataSet Architecture
• DataSet functionality
• XML as a method of choice.
• ADO.NET’s powerful support for XML
• XML functions in DataSets and ADO.NET
• Oracle’s support for XML
Interoperability with XML
XMLXML
.NET developed Application
SQL DB
Oracle DB
• Secure development and execution environments• CBAC: permission for code to access resources• RBAC: permission for users/roles to access resources• Code verification and execution: semantics, bytecode, safe
execution environment• Secure communication: pass data/messages securely• Code and data integrity: no unauthorized code
modification, cryptography
Security Issues concerning .NET and Java
Code Based Access Control
• CBAC is the security that allows and prevents a piece of code to access resources
• Evidence Based Security, Permissions, Security Policy
• CLR reviews evidence of an assembly• Determines identity from evidence• Looks up and grants permissions based on the
security policy for that assembly identity
• The CLR examines assemblies to determine their origin
• CLR looks at metadata for:– where the code originate– creator of the assembly– URL and zone the assembly came from
• CLR verifies the association of metadata w/ an assembly
Evidence Based Security
• Permission: assigned to a piece of code, the allowance to execute a certain method or access a certain resource
• Assemblies request permissions to execute, and the CLR answers at runtime
• Permissions are grouped into sets w/ the same level of security and trust
• Assembly from Internet zone maybe granted Internet permission set for untrusted code
Permissions
• SP is set by an admin to make permission decisions for assemblies and domains
• Three policies: Total Enterprise, Machine executing code, Requesting User
• Any policy file may partially restrict permissions of another policy file
• SP groups code into hierarchal categories based on identity determined by the CLR
• SP determines permissions for assembly after code is grouped and categorized
Security Policy
• Permissions are grouped into protection domains and associated w/ groups of classes
• Permissions are grouped into sets and assoc w/ code groups• Classes are grouped by their origin like Code is categorized by
assembly’s zone• No Security Manager by default in Java• J2EE has 2 SP types: executing machine & requesting user• .NET provides a lot of standard permissions• Stronger credentials needed for permissions in .NET (evidence)• SP files are more configurable in Java, but doesn’t help w/o all
perm sets
Java CBAC vs. .NET CBAC
• .NET applies ‘Principal’ term to role membership• .NET uses many plug-in authentication modules• Windows: windows apps using Security Support Provided
Interface• Passport: Microsoft implemented centralized
authentication service• Form based: HTML logon form from ASP.NET; identity
cookies• IIS Server: built in mechanisms like Basic, Digest, X.509
certs w/SSL• Impersonation: allows a user to use another identity to
access another application
Role Based Access Control
• .NET supports both imperative and declarative role permission checking
• Java servlets provide declarative checking at the servlet level
• EJB’s provide declarative checking down to method level• JAAS provides imperative checking within method level• .NET flexibility is limited severely• IIS is only supported server of .NET framework• Passport requires users to be members of Microsoft
Passport service
Java RBAC vs. .NET RBAC
• Prevent system weaknesses exposure by application errors; malicious or not
• .NET and Java perform security checks during code execution
• Stack integrity, bytecode structure, buffer overflows, semantics
• Application Domains have static boundaries • Protection Domains have dynamic boundaries • All security checks to verify code are done on managed
code• Both .NET and Java allow unmanaged code to bypass the
CLR and JRE
Code Verification and Execution
• Secure Communications are done at the application level
• Both platforms support SSL and TLS• .NET apps can use Windows SSPI and IIS• Java provides Java Secure Sockets
Extensions (JSSE)• JSSE is very flexible, can be configured
easily for RMI
Secure Communication
• .NET uses Windows Crypto API• Java Crypto Extensions (JCE) and Java Crypto
Architecture (JCA)• Signed distribution files are necessary for source
verification• .NET uses strong named assemblies signed with an RSA
keypair• Java’s JAR files are sealed and each class is signed• Java’s manifest files don’t require version info• Once again .NET is tied to Windows so Java is more
flexible• Crypto algorithms are based on published standards
Secure Code and Data Protection
• .NET can access COM client as COM can access a .NET client
• Runtime Callable Wrapper (RCW) wraps the COM object
• COM Callable Wrapper (CCW) wraps the .NET object
• System.Runtime.InteropServices.ComVisible limits what COM client can call
Middleware Interoperability: COM
• .NET creates ‘Channels’ to remotely access objects; HTTP, TCP
• .NET does allow ability to create custom channels; IIOP
• RMI creates sockets to remotely access objects; IIOP, JRMP
• .NET doesn’t have a naming registry for services
Middleware Interoperability: .NET Remoting vs. RMI
• Corba is one of the most used middlewares today
• Microsoft doesn’t support IIOP, Java does
• Create custom channel using TCP/IIOP
• Use wrappers, connect to a Corba object via a COM object
Middleware Interoperability: Corba