# Wednesday, 19 June 2002
« What is I<<K.VM.NET? | Main | Current Status »
What about J#?

When I looked at beta 1 of J#, I found so many bugs in the first day of playing with it, that I decided to report the bugs to Microsoft and then ignore the product until the next beta. When beta 2 arrived, two of bugs I reported hadn't been fixed, but I decided to go ahead and play with it for a couple of days anyways. What I found was devastating: The J# object model is fundamentally broken. In order for it to function, it requires a huge security hole. I reported this to Microsoft and gave up on the tool. Since then I've been looking for an alternative, but recently I finally decided to build my own JVM for .NET.

Wednesday, 19 June 2002 12:22:26 (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]
Wednesday, 19 June 2002 14:12:59 (W. Europe Daylight Time, UTC+02:00)

Any references or details on the huge security hole? How do you plan on avoiding it in I#@!?K.VM.NET (hey, my random punctuation is just as understandable as yours ;) )
Stuart
Thursday, 20 June 2002 13:43:51 (W. Europe Daylight Time, UTC+02:00)

The security hole in J# is needed because they decided to derive java.lang.Object from System.Object, this causes all sorts of problems. For example, arrays do not derive from java.lang.Object, so what they did was add a runtime method com.ms.vjsharp.lang.'<VerifierFix>'::getJavaLangObjectFromSystemObject() that allows you to convert a System.Object reference to a java.lang.Object reference, not a good idea, because java.lang.Object has more virtual methods than System.Object, this exposes methods via the wrong signatures, thus introducing a security hole.
I avoid this problem by aliasing java.lang.Object and System.Object. In other words, whenever in Java you refer to java.lang.Object, it gets compiled to a reference to System.Object, because System.Object and java.lang.Object have the same virtual methods this works.
Tuesday, 20 August 2002 08:39:55 (W. Europe Daylight Time, UTC+02:00)

So why is this a HUGE security hole?
Davorin Mestric
Name
E-mail
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Answer:  
Comment (HTML not allowed)  

Live Comment Preview