microsoft.net initiative keith bessette hardik davé jaladhi mehta cse 333 fall 2002
Post on 21-Dec-2015
229 views
TRANSCRIPT
![Page 1: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/1.jpg)
Microsoft .NET Initiative
Keith Bessette
Hardik Davé
Jaladhi Mehta
CSE 333CSE 333
Fall 2002Fall 2002
![Page 2: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/2.jpg)
• What is .NET ?• History and Evolution of .NET• What is .NET made up of ?• Scope of the paper
– .NET languages and Java– Database Connectivity using .NET.– Security Issues Concerning .NET and Java– Interoperability: Middleware and Languages
Introduction and Overview
![Page 3: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/3.jpg)
• Supported Languages in .NET
• C# Background
.NET Languages
![Page 4: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/4.jpg)
• Class Hierarchies– Both have single rooted class hierarchies System.Object and
Java.lang.object
– Both classes have methods sharing some similarities and difference
• Execution Environment– JAVA compiled to bytecodes which are interpreted or natively
compiled and run in managed exec envt JVM
– C# code gets compiled to IL which runs in CLR C# code is never interpreted, it is always natively compiled C#’s IL is more type neutral
C# vs. Java – Differences and Similarities
![Page 5: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/5.jpg)
• Object Creation– In JAVA objects are Heap based
– In C# objects are Heap based as well as Stack based (called value types)
• NameSpaces– In JAVA packages reflect the physical directory layout
– C# has complete separation of physical packaging and logical naming
C# vs. Java – Differences and Similarities(Continued)
![Page 6: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/6.jpg)
• Access Modifiers
C# vs. Java – Differences and Similarities(Continued)
C# access modifier Java access modifier
Private Private
Public public
Internal protected
protected N/A
internal protected N/A
• Serialization and Documentation• C# supports XML format as well as binary format for serialization while Java only supports binary format by default.
• JAVA uses Javadoc while C# uses XML for documentation
![Page 7: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/7.jpg)
• Deterministic object cleanup– C# supports dispose() method
– C++ like destructors without memory allocation woes Best of both worlds
• Pointers and unsafe code– C# can have pointers when it is running in unsafe mode
– Program must have full trust granted earlier
– Unsafe keyword, /unsafe compiler switch
– Fixed keyword to avoid the garbage collector moving the variable during the mark and collect algorithm phase
C# vs. Java – Differences and Similarities(Continued)
![Page 8: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/8.jpg)
• Platform interoperability– How C# and JAVA run on various platforms
– JAVA is a single language platform
– C# supports multiple languages as long as they conform to CLS
– JAVA has better portability for various o/s and platforms
– C# currently runs on only windows platforms
– .NET platform files complied to PE files
C# and interoperability
![Page 9: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/9.jpg)
• Standards Interoperability– How both languages access standards like
database systems, graphics library, etc.?– C# and JAVA both don’t scale too well due to
Microsoft and Sun’s business motivations– C# has been submitted to ECMA to derive to a
standard– .NET is sort of an open platform
C# and interoperability
![Page 10: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/10.jpg)
• Language interoperability– Level and ease of integration with other
languages– JAVA supports language interoperability
through JNI, CORBA– .NET has language independence– .NET supports any languages as long as they
conform to CLS and CTS
C# and interoperability
![Page 11: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/11.jpg)
• Database connectivity in .NET– Different APIs for connecting to the Database.– JDBC was introduced by Sun Microsystems in
1996 – History of ADO and JDBC.
Database Connectivity
![Page 12: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/12.jpg)
• Three Level Architecture
• XML and DataSet as objects of interaction
ADO.NET Architecture
Business Business TierTier
Data Data TierTier
Presentation TierPresentation Tier
Windows Forms
Web Forms
Business to Business
Data Object (Class)
DataSet
DataSetDataSet
InternetInternetIntranetIntranet
Data Data AdapterAdapterData Data AdapterAdapter
(BizTalk, for example)
XML
MyApp.Exe
IE
![Page 13: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/13.jpg)
• Three Layers of Architecture
• RecordSets,
Statements – Connection
and DriverManager
ADO.NET Architecture
![Page 14: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/14.jpg)
• Primitive offline DB access using ResultSets in JDBC
• Complete offline access in .NET using DataSets
Offline DB Access
DataSet
DataTableCollections
DataRowcollection
DataColumncollection
ConstraintCollection
DataRelationCollection
DataTable
Fig 4.3 ADO.NET DataSet
• ADO.NET’s DataSet Architecture
• DataSet functionality
• XML as a method of choice.
![Page 15: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/15.jpg)
• ADO.NET’s powerful support for XML
• XML functions in DataSets and ADO.NET
• Oracle’s support for XML
Interoperability with XML
XMLXML
.NET developed Application
SQL DB
Oracle DB
![Page 16: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/16.jpg)
• Secure development and execution environments• CBAC: permission for code to access resources• RBAC: permission for users/roles to access resources• Code verification and execution: semantics, bytecode, safe
execution environment• Secure communication: pass data/messages securely• Code and data integrity: no unauthorized code
modification, cryptography
Security Issues concerning .NET and Java
![Page 17: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/17.jpg)
Code Based Access Control
• CBAC is the security that allows and prevents a piece of code to access resources
• Evidence Based Security, Permissions, Security Policy
• CLR reviews evidence of an assembly• Determines identity from evidence• Looks up and grants permissions based on the
security policy for that assembly identity
![Page 18: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/18.jpg)
• The CLR examines assemblies to determine their origin
• CLR looks at metadata for:– where the code originate– creator of the assembly– URL and zone the assembly came from
• CLR verifies the association of metadata w/ an assembly
Evidence Based Security
![Page 19: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/19.jpg)
• Permission: assigned to a piece of code, the allowance to execute a certain method or access a certain resource
• Assemblies request permissions to execute, and the CLR answers at runtime
• Permissions are grouped into sets w/ the same level of security and trust
• Assembly from Internet zone maybe granted Internet permission set for untrusted code
Permissions
![Page 20: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/20.jpg)
• SP is set by an admin to make permission decisions for assemblies and domains
• Three policies: Total Enterprise, Machine executing code, Requesting User
• Any policy file may partially restrict permissions of another policy file
• SP groups code into hierarchal categories based on identity determined by the CLR
• SP determines permissions for assembly after code is grouped and categorized
Security Policy
![Page 21: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/21.jpg)
• Permissions are grouped into protection domains and associated w/ groups of classes
• Permissions are grouped into sets and assoc w/ code groups• Classes are grouped by their origin like Code is categorized by
assembly’s zone• No Security Manager by default in Java• J2EE has 2 SP types: executing machine & requesting user• .NET provides a lot of standard permissions• Stronger credentials needed for permissions in .NET (evidence)• SP files are more configurable in Java, but doesn’t help w/o all
perm sets
Java CBAC vs. .NET CBAC
![Page 22: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/22.jpg)
• .NET applies ‘Principal’ term to role membership• .NET uses many plug-in authentication modules• Windows: windows apps using Security Support Provided
Interface• Passport: Microsoft implemented centralized
authentication service• Form based: HTML logon form from ASP.NET; identity
cookies• IIS Server: built in mechanisms like Basic, Digest, X.509
certs w/SSL• Impersonation: allows a user to use another identity to
access another application
Role Based Access Control
![Page 23: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/23.jpg)
• .NET supports both imperative and declarative role permission checking
• Java servlets provide declarative checking at the servlet level
• EJB’s provide declarative checking down to method level• JAAS provides imperative checking within method level• .NET flexibility is limited severely• IIS is only supported server of .NET framework• Passport requires users to be members of Microsoft
Passport service
Java RBAC vs. .NET RBAC
![Page 24: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/24.jpg)
• Prevent system weaknesses exposure by application errors; malicious or not
• .NET and Java perform security checks during code execution
• Stack integrity, bytecode structure, buffer overflows, semantics
• Application Domains have static boundaries • Protection Domains have dynamic boundaries • All security checks to verify code are done on managed
code• Both .NET and Java allow unmanaged code to bypass the
CLR and JRE
Code Verification and Execution
![Page 25: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/25.jpg)
• Secure Communications are done at the application level
• Both platforms support SSL and TLS• .NET apps can use Windows SSPI and IIS• Java provides Java Secure Sockets
Extensions (JSSE)• JSSE is very flexible, can be configured
easily for RMI
Secure Communication
![Page 26: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/26.jpg)
• .NET uses Windows Crypto API• Java Crypto Extensions (JCE) and Java Crypto
Architecture (JCA)• Signed distribution files are necessary for source
verification• .NET uses strong named assemblies signed with an RSA
keypair• Java’s JAR files are sealed and each class is signed• Java’s manifest files don’t require version info• Once again .NET is tied to Windows so Java is more
flexible• Crypto algorithms are based on published standards
Secure Code and Data Protection
![Page 27: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/27.jpg)
• .NET can access COM client as COM can access a .NET client
• Runtime Callable Wrapper (RCW) wraps the COM object
• COM Callable Wrapper (CCW) wraps the .NET object
• System.Runtime.InteropServices.ComVisible limits what COM client can call
Middleware Interoperability: COM
![Page 28: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/28.jpg)
• .NET creates ‘Channels’ to remotely access objects; HTTP, TCP
• .NET does allow ability to create custom channels; IIOP
• RMI creates sockets to remotely access objects; IIOP, JRMP
• .NET doesn’t have a naming registry for services
Middleware Interoperability: .NET Remoting vs. RMI
![Page 29: Microsoft.NET Initiative Keith Bessette Hardik Davé Jaladhi Mehta CSE 333 Fall 2002](https://reader030.vdocuments.us/reader030/viewer/2022013115/56649d6d5503460f94a4d10f/html5/thumbnails/29.jpg)
• Corba is one of the most used middlewares today
• Microsoft doesn’t support IIOP, Java does
• Create custom channel using TCP/IIOP
• Use wrappers, connect to a Corba object via a COM object
Middleware Interoperability: Corba