lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060327055810.3335.qmail@web61312.mail.yahoo.com>
Date: Mon Mar 27 07:20:04 2006
From: pilonmntry at yahoo.com (Pilon Mntry)
Subject: 4 Questions: Latest IE vulnerability,
	Firefox vs IE security, User vs Admin risk profile,
	and browsers coded in 100% Managed Verifiable code


> of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project. 

I agree.

> What about
> using the
> facilities already provided by the OS to enforce the
> sandbox? 

But then will it be possible to prevent buffer
overflows, still running on unmanaged code?

Very nice points by Dinis, esp. the one about the
"advantages" of using our boxes with less privileges
(for internet browsing).

-pilon

--- Brian Eaton <eaton.lists@...il.com> wrote:

> On 3/25/06, Dinis Cruz <dinis@...lus.net> wrote:
> > 4) Finally, isn't the solution for the creation of
> secure and
> > trustworthy Internet Browsing environments the
> development of browsers
> > written in 100% managed and verifiable code, which
> execute on a secure
> > and very restricted Partially Trusted
> Environments? (under .Net, Mono or
> > Java). This way, the risk of buffer overflows will
> be very limited, and
> > when logic or authorization vulnerabilities are
> discovered in this
> > 'Partially Trusted IE' the 'Secure Partially
> Trusted environment' will
> > limit what the malicious code (i.e. the exploit)
> can do.
> 
> I am less than enthusiastic about most of the
> desktop java
> applications I use.  They are, for the most part,
> sluggish, memory
> gobbling beasts, prone to disintegration if I look
> at them cross-eyed
> or click the mouse too frequently.
> 
> Usability problems with java applications are not
> necessarily due to
> managed code, of course, but the idea of creating a
> full-featured
> browser, from scratch, with usability as good as IE
> and Firefox
> strikes me as a fairly tricky project.  What about
> using the
> facilities already provided by the OS to enforce the
> sandbox?  Rather
> than scrapping the existing codebases, start running
> them with
> restricted rights.  Use mandatory access control
> systems to make sure
> the browser doesn't overstep its bounds.
> 
> Regards,
> Brian
> 
>
-------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
> 
> ALERT: "How A Hacker Launches A Web Application
> Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks
> with real-world
> examples of recent hacking methods such as: SQL
> Injection, Cross Site
> Scripting and Parameter Manipulation
> 
>
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
>
--------------------------------------------------------------------------
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ