[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4429CA0D.40908@ddplus.net>
Date: Wed Mar 29 04:02:24 2006
From: dinis at ddplus.net (Dinis Cruz)
Subject: Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]
4 Questions: Latest
IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and
browsers coded in 100% Managed Verifiable code
Hello Eric (comments inline)
Eric Swanson wrote:
> Because I believe that Microsoft will never be as cooperative with .NET and
> the developer community as Sun is with Java, is there an opportunity for
> another company to step up to the plate on Microsoft's behalf?
There is definitely an opportunity here. At the moment I see two big
players that could move into that space: Novell and IBM.
Both have the resources to do it, and the motivation. The main questions
are:
- Do they want to buy that 'war' with Microsoft?
- Do they 'believe' that this a worthwhile project and one that will
help their bottom line?
- Can they do it in an open and transparent way that attracts a
strong community to it? (note that this community will be critical to
the project, since I believe that no company in the world has the
resources to it by itself)
This could also be done by a very dynamic and well funded Open Source
project (maybe by several governments or by companies/corporations which
decide that they need to be more proactive in the protection of their
critical resources and assets)
> The .NET
> Framework is completely public, and, although Mono continues to have its
> workload increased by each Framework release, I think there may be an
> opportunity for a company or organization to step-in and take the reigns
> where Microsoft left off. How possible is it to "plug-in" to the CLR and
> make extensions to the core?
>
It is very doable. Note that there are already 4 different flavors of
the CLR (Microsoft's .Net Framework, Rotor, Mono and DotGnu)
See also the Postbuild commercial application
(http://www.xenocode.com/Products/Postbuild/) which claims (I have not
used it) to create Native x86 executables which allows .NET
applications to run anywhere, with or without the Framework.
This is something that I always wanted to do since it should (depending
how it is done) allow the dramatic reduction of code (and dlls) that
needs to be loaded in memory (the ultimate objective would be to create
mini-VMs that were completely isolated from the host OS (or only having
very specific interfaces / contact points)).
Also while I was doing my 'Rooting the CLR' research, since Microsoft
does provide the Symbols for core .Net Assemblies, there is a lot that
can be done at that level. That said, this work would be greatly
simplified if Microsoft released the source code of the entire .Net
Framework :)
> Perhaps a better project for OWASP.NET than security vulnerability detection
> utilities is a security plug-in to the CLR engine for byte code signature
> registration and verification?
Agree, the problem we have is resources (and lack of funding)
Btw, at Owasp .Net we have now much more than just 'Security
Vulnerability Detection Utilities' :)
Apart from those utilities (namely ANSA and ANBS) we now also have:
* Owasp Site Generator : Dynamic website creator to test Web
Application Scanners and Web Application Firewalls (and a great tool for
developers to learn about security vulnerabilities)
* Owasp PenTest Reporter : Tool that aids in the process of
documenting, reporting and tracking security vulnerabilities discovered
during Penetration Testing engagements
* DefApp (Proof of Concept): Web Application Firewall
Another project that I would love to do is to work on a plug-in manager
for Firefox which would execute all Firefox plug-ins in a managed and
verifiable .Net sandbox (maybe built around mono (which was were this
idea was suggested to me))
> Would this task even be feasible? (Managed
> code only?) Is it even worth the effort, considering the possibility of
> further development from Microsoft?
>
I think that it would be worth the effort, the problem is 'who will fund
this'.
I don't think that this is a project that can be done on the backs of
the odd spare times that its main developers would be able to allocate
to it.
> *Personally, I have never attempted to work below the top layers of .NET.
>
It's not that hard :)
> But, it seems to me that plugging into the core would be a better option
> than some kind of wrapper sandbox, especially with regard to change control
> (top layers are likely to change more often and more drastically than lower
> layers).
>
Absolutely, and remember that ideally this tool would also remove 95% of
that 'top layer' since it is not required.
I am also not convinced of the robustness of the current implementation
of CAS in .Net 1.1 and 2.0. There are too many security demands in too
many places.
> Should it be a task of the OWASP.Java team to work with Sun "Mustang"?
>
Maybe, but first you need to create that Owasp.Java team :)
There are a lot of Java guys at Owasp, but they all are working on
separate projects
> Could there ever be a silver bullet sandbox for all executables, regardless
> of language?
No I don't think so.
You will need to look at each different type of executables (mobile
code, web apps, desktop apps, windows services, 'real-time apps', etc..)
and create solutions for each one (there might be tons of code reuse,
but the focus will be different).
This means that you will need different versions of the Garbage
Collector, different versions of the security manager, and probably even
different versions of the Verifier.
And the best justification for having these different versions of core
components of the CLR is given by Microsoft's failed attempt with Vista
to implement large parts of the OS on top of the .Net Framework. I don't
know the details of this failure (since I was not there) but my belief
is that the fundamental problem was that they were using the .Net CLR in
ways it was never designed to (for example in time-sensitive apps or
heavy graphics / memory manipulation).
The problem was not that Microsoft tried to build Vista on top of
managed code, the problem was that they did it on top of the .Net Framework.
> Wouldn't this turn into just another evolution of anti-virus
> programs?
>
Well, anti-virus will probably, eventually, create such sandboxed
environments, but at the moment I don't see a lot of movement from that
side.
> "Even if you just barely scratch the surface, you've made a visible change
> that everyone can see and, who knows, may even cause them to want to make a
> scratch of their own."
>
Perfect quote, and I have to say that all that I am trying to do here is
to raise the awareness of these issues in the hope that somebody,
somewhere will take them seriously and start the process of creating
secure and trustworthy computing environments.
> Thinking out loud,
>
So am I :)
> --Eric Swanson
>
>
Dinis Cruz
Owasp .Net Project
www.owasp.net
Powered by blists - more mailing lists