Secure Coding mailing list archives
Managed Code and Runtime Environments - Another layer of added security?
From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Wed, 29 Mar 2006 12:19:19 -0500 (EST)
Which brings us to the point of asking why we must have this run time environment to protect the computing resources. Why isn't this a function of and included in the Operating System code?
Because "we" chose an OS that doesn't do that.
Is this like a firewall and IDS - just another layer we have to add due to ineffective and insecure OS's?
In a sense. But I'd put it in a way that slants it rather differently; I'd say that they are layers "we" have to add because "we" chose an OS that didn't include that stuff. It's not the OS's fault that it doesn't do something it's not designed to do. The real problem from this perspective is all the people who are picking Windows or Linux or something to run on their machines and then expecting it to have security properties it was never intended to have. Of course, if you try a "real" (from this security standpoint) OS, you will find that, as it must to achieve that level of assurance, it makes a lot of the things you've used to doing a lot harder. I suspect that between the additional up-front cost of such an OS and the inconvenience it imposes, most people prefer "add-on" security - less thorough but sufficiently less costly to tip the balance. (Actually, I suspect most people don't actually think about it and just grumble that the OS doesn't Just Do The Right Thing, even though that would require the mythical mind-reading peripheral.)
Are we dealing with symptoms or the real solution?
Symptoms. The real problem is...well, depending on how you want to spin it, it could be "choosing the wrong OS for the job" or "the high cost of inconvenience" or various other things. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Gunnar Peterson (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Michael S Hines (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: LatestIE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Gunnar Peterson (Mar 29)