| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Mar 27 07:20:04 2006 From: pilonmntry at yahoo.com (Pilon Mntry) Subject: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code > of creating a > full-featured > browser, from scratch, with usability as good as IE > and Firefox > strikes me as a fairly tricky project. I agree. > What about > using the > facilities already provided by the OS to enforce the > sandbox? But then will it be possible to prevent buffer overflows, still running on unmanaged code? Very nice points by Dinis, esp. the one about the "advantages" of using our boxes with less privileges (for internet browsing). -pilon --- Brian Eaton <eaton.lists@...il.com> wrote: > On 3/25/06, Dinis Cruz <dinis@...lus.net> wrote: > > 4) Finally, isn't the solution for the creation of > secure and > > trustworthy Internet Browsing environments the > development of browsers > > written in 100% managed and verifiable code, which > execute on a secure > > and very restricted Partially Trusted > Environments? (under .Net, Mono or > > Java). This way, the risk of buffer overflows will > be very limited, and > > when logic or authorization vulnerabilities are > discovered in this > > 'Partially Trusted IE' the 'Secure Partially > Trusted environment' will > > limit what the malicious code (i.e. the exploit) > can do. > > I am less than enthusiastic about most of the > desktop java > applications I use. They are, for the most part, > sluggish, memory > gobbling beasts, prone to disintegration if I look > at them cross-eyed > or click the mouse too frequently. > > Usability problems with java applications are not > necessarily due to > managed code, of course, but the idea of creating a > full-featured > browser, from scratch, with usability as good as IE > and Firefox > strikes me as a fairly tricky project. What about > using the > facilities already provided by the OS to enforce the > sandbox? Rather > than scrapping the existing codebases, start running > them with > restricted rights. Use mandatory access control > systems to make sure > the browser doesn't overstep its bounds. > > Regards, > Brian > > ------------------------------------------------------------------------- > This List Sponsored by: SpiDynamics > > ALERT: "How A Hacker Launches A Web Application > Attack!" > Step-by-Step - SPI Dynamics White Paper > Learn how to defend against Web Application Attacks > with real-world > examples of recent hacking methods such as: SQL > Injection, Cross Site > Scripting and Parameter Manipulation > > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl > -------------------------------------------------------------------------- > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists