James Gosling says Microsoft's use of C and C++ in its .NET platform has left "a security hole large enough to drive many, many trucks through."
James Gosling, CTO of Sun's Developer Products group and the father of the Java programming language, has called Microsoft's decision to support C and C++ in the common language runtime in .NET one of the "biggest and most offensive mistakes that they could have made" in his speech to developers at an event in Sydney earlier this week. He further commented that by including the two languages into Microsoft's software development platform, the company "has left open a security hole large enough to drive many, many large trucks through."
According to Gosling, the security hole is based upon the fact that several features of the older languages are ambivalent with regards to security: "C++ allowed you to do arbitrary casting, arbitrary adding of images and pointers, and converting them back and forth between pointers in a very, very unstructured way.
"If you look at the security model in Java and the reliability model, and a lot of things in the exception handling, they depend really critically on the fact that there is some integrity to the properties of objects. So if somebody gives you an object and says 'This is an image', then it is an image. It's not like a pointer to a stream, where it just casts an image," said Gosling.
Microsoft developer evangelist Charles Sterling didn't entirely disagree with Gosling's comments, but he sought to clarify the issue with .NET's security. Stirling pointed out that .NET defines different sorts of code. "Managed" code is code that is executed under the control of the .NET framework. New languages such as C# and Visual Basic.NET only produce managed code.
However, Gosling is concerned about "unsafe" code, which is produced by traditional languages like C and C++. Unsafe code is old code that does not strictly follow the rules of type safety that .NET defines, and this sort of code requires additional permissions to execute. According to Sterling, "you as a developer take it upon yourself" to utilize unsafe code in your .NET applications.
An important point is that the so-called unsafe code does have the potential to run faster than "managed" code due to some languages' ability to include machine-specific features that may sacrifice platform portability for speed. Sterling acknowledged this as he said that the choice between the two platforms is all about risk: if developers are willing to "accept the risk" of unsafe code then they may gain access to "the best performance system on the planet."
Sterling also gave the debate a reality check when asked of his personal knowledge of .NET developers actually implementing C or C++ code under a .NET framework. Of the approximately one thousand developers that Sterling knows, he could only recall one directly developing under the C++ code. Whether this indicates an unwillingness on the part of developers to utilize code that is unsafe is not clear.