# Wednesday, June 19, 2002
« What is I<<K.VM.NET? | Main | Current Status »
What about J#?

When I looked at beta 1 of J#, I found so many bugs in the first day of playing with it, that I decided to report the bugs to Microsoft and then ignore the product until the next beta. When beta 2 arrived, two of bugs I reported hadn't been fixed, but I decided to go ahead and play with it for a couple of days anyways. What I found was devastating: The J# object model is fundamentally broken. In order for it to function, it requires a huge security hole. I reported this to Microsoft and gave up on the tool. Since then I've been looking for an alternative, but recently I finally decided to build my own JVM for .NET.

Wednesday, June 19, 2002 12:22:26 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]
Wednesday, June 19, 2002 2:12:59 PM (W. Europe Daylight Time, UTC+02:00)

Any references or details on the huge security hole? How do you plan on avoiding it in I#@!?K.VM.NET (hey, my random punctuation is just as understandable as yours ;) )
Thursday, June 20, 2002 1:43:51 PM (W. Europe Daylight Time, UTC+02:00)

The security hole in J# is needed because they decided to derive java.lang.Object from System.Object, this causes all sorts of problems. For example, arrays do not derive from java.lang.Object, so what they did was add a runtime method com.ms.vjsharp.lang.'<VerifierFix>'::getJavaLangObjectFromSystemObject() that allows you to convert a System.Object reference to a java.lang.Object reference, not a good idea, because java.lang.Object has more virtual methods than System.Object, this exposes methods via the wrong signatures, thus introducing a security hole.
I avoid this problem by aliasing java.lang.Object and System.Object. In other words, whenever in Java you refer to java.lang.Object, it gets compiled to a reference to System.Object, because System.Object and java.lang.Object have the same virtual methods this works.
Tuesday, August 20, 2002 8:39:55 AM (W. Europe Daylight Time, UTC+02:00)

So why is this a HUGE security hole?
Davorin Mestric
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Comment (HTML not allowed)  

Live Comment Preview