lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000901c651e3$ae8b2b20$6401a8c0@agi.alexandergroupinc.com>
Date: Mon Mar 27 23:47:20 2006
From: eric at eric-swanson.com (Eric Swanson)
Subject: RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]
	4 Questions: Latest IE vulnerability, Firefox vs IE security,
	Uservs Admin risk profile,
	and browsers coded in 100% Managed Verifiable code

Because I believe that Microsoft will never be as cooperative with .NET and
the developer community as Sun is with Java, is there an opportunity for
another company to step up to the plate on Microsoft's behalf?  The .NET
Framework is completely public, and, although Mono continues to have its
workload increased by each Framework release, I think there may be an
opportunity for a company or organization to step-in and take the reigns
where Microsoft left off.  How possible is it to "plug-in" to the CLR and
make extensions to the core?

Perhaps a better project for OWASP.NET than security vulnerability detection
utilities is a security plug-in to the CLR engine for byte code signature
registration and verification?  Would this task even be feasible?  (Managed
code only?)  Is it even worth the effort, considering the possibility of
further development from Microsoft?

*Personally, I have never attempted to work below the top layers of .NET.
But, it seems to me that plugging into the core would be a better option
than some kind of wrapper sandbox, especially with regard to change control
(top layers are likely to change more often and more drastically than lower
layers).

Should it be a task of the OWASP.Java team to work with Sun "Mustang"?

Could there ever be a silver bullet sandbox for all executables, regardless
of language?  Wouldn't this turn into just another evolution of anti-virus
programs?

"Even if you just barely scratch the surface, you've made a visible change
that everyone can see and, who knows, may even cause them to want to make a
scratch of their own."

Thinking out loud,
--Eric Swanson

-----Original Message-----
From: owasp-dotnet-admin@...ts.sourceforge.net
[mailto:owasp-dotnet-admin@...ts.sourceforge.net] On Behalf Of Jeff Williams
Sent: Sunday, March 26, 2006 9:02 PM
To: owasp-leaders@...ts.sourceforge.net; owasp-dotnet@...ts.sourceforge.net;
webappsec@...urityfocus.com; SC-L@...urecoding.org;
full-disclosure@...ts.grok.org.uk; dailydave@...ts.immunitysec.com
Cc: 'Wall, Kevin'
Subject: RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions:
Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile,
and browsers coded in 100% Managed Verifiable code


>I am not a Java expert, but I think that the Java Verifier is NOT used on
Apps that >are executed with the Security Manager disabled (which I believe
is the default >setting) or are loaded from a local disk (see "... applets
loaded via the file system >are not passed through the byte code verifier"
in http://java.sun.com/sfaq/) 

I believe that as of Java 1.2, all Java code except the core libraries must
go through the verifier, unless it is specifically disabled (java
-noverify).  Note that Mustang will have a new, faster, better? verifier and
that Sun has made the new design and implementation available to the
community with a challenge to find security flaws in this important piece of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
Kudos to Sun for engaging with the community this way.

--Jeff



-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


-----------------------------------------
The information contained in this e-mail message is intended only
for the personal and confidential use of the recipient(s) named
above. This message may be an attorney-client communication and/or
work product and as such is privileged and confidential. If the
reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are
hereby notified that you have received this document in error and
that any review, dissemination, distribution, or copying of this
message is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail, and
delete the original message.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@...ts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ