# Wednesday, June 19, 2002
« What is I<<K.VM.NET? | Main | Current Status »
What about J#?

When I looked at beta 1 of J#, I found so many bugs in the first day of playing with it, that I decided to report the bugs to Microsoft and then ignore the product until the next beta. When beta 2 arrived, two of bugs I reported hadn't been fixed, but I decided to go ahead and play with it for a couple of days anyways. What I found was devastating: The J# object model is fundamentally broken. In order for it to function, it requires a huge security hole. I reported this to Microsoft and gave up on the tool. Since then I've been looking for an alternative, but recently I finally decided to build my own JVM for .NET.

Wednesday, June 19, 2002 12:22:26 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]
Wednesday, June 19, 2002 2:12:59 PM (W. Europe Daylight Time, UTC+02:00)

Any references or details on the huge security hole? How do you plan on avoiding it in I#@!?K.VM.NET (hey, my random punctuation is just as understandable as yours ;) )
Thursday, June 20, 2002 1:43:51 PM (W. Europe Daylight Time, UTC+02:00)

The security hole in J# is needed because they decided to derive java.lang.Object from System.Object, this causes all sorts of problems. For example, arrays do not derive from java.lang.Object, so what they did was add a runtime method com.ms.vjsharp.lang.'<VerifierFix>'::getJavaLangObjectFromSystemObject() that allows you to convert a System.Object reference to a java.lang.Object reference, not a good idea, because java.lang.Object has more virtual methods than System.Object, this exposes methods via the wrong signatures, thus introducing a security hole.
I avoid this problem by aliasing java.lang.Object and System.Object. In other words, whenever in Java you refer to java.lang.Object, it gets compiled to a reference to System.Object, because System.Object and java.lang.Object have the same virtual methods this works.
Tuesday, August 20, 2002 8:39:55 AM (W. Europe Daylight Time, UTC+02:00)

So why is this a HUGE security hole?
Davorin Mestric
Comments are closed.