RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

["Eric Swanson" <eric () eric-swanson com>]

Because I believe that Microsoft will never be as cooperative with .NET and
the developer community as Sun is with Java, is there an opportunity for
another company to step up to the plate on Microsoft's behalf?  The .NET
Framework is completely public, and, although Mono continues to have its
workload increased by each Framework release, I think there may be an
opportunity for a company or organization to step-in and take the reigns
where Microsoft left off.  How possible is it to "plug-in" to the CLR and
make extensions to the core?

Perhaps a better project for OWASP.NET than security vulnerability detection
utilities is a security plug-in to the CLR engine for byte code signature
registration and verification?  Would this task even be feasible?  (Managed
code only?)  Is it even worth the effort, considering the possibility of
further development from Microsoft?

*Personally, I have never attempted to work below the top layers of .NET.
But, it seems to me that plugging into the core would be a better option
than some kind of wrapper sandbox, especially with regard to change control
(top layers are likely to change more often and more drastically than lower
layers).

Should it be a task of the OWASP.Java team to work with Sun "Mustang"?

Could there ever be a silver bullet sandbox for all executables, regardless
of language?  Wouldn't this turn into just another evolution of anti-virus
programs?

"Even if you just barely scratch the surface, you've made a visible change
that everyone can see and, who knows, may even cause them to want to make a
scratch of their own."

Thinking out loud,
--Eric Swanson

-----Original Message-----
From: owasp-dotnet-admin () lists sourceforge net
[mailto:owasp-dotnet-admin () lists sourceforge net] On Behalf Of Jeff Williams
Sent: Sunday, March 26, 2006 9:02 PM
To: owasp-leaders () lists sourceforge net; owasp-dotnet () lists sourceforge net;
webappsec () securityfocus com; SC-L () securecoding org;
full-disclosure () lists grok org uk; dailydave () lists immunitysec com
Cc: 'Wall, Kevin'
Subject: RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions:
Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile,
and browsers coded in 100% Managed Verifiable code


> I am not a Java expert, but I think that the Java Verifier is NOT used on
Apps that >are executed with the Security Manager disabled (which I believe
is the default >setting) or are loaded from a local disk (see "... applets
loaded via the file system >are not passed through the byte code verifier"
in http://java.sun.com/sfaq/) 

I believe that as of Java 1.2, all Java code except the core libraries must
go through the verifier, unless it is specifically disabled (java
-noverify).  Note that Mustang will have a new, faster, better? verifier and
that Sun has made the new design and implementation available to the
community with a challenge to find security flaws in this important piece of
their security architecture. https://jdk.dev.java.net/CTV/challenge.html.
Kudos to Sun for engaging with the community this way.

--Jeff



-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


-----------------------------------------
The information contained in this e-mail message is intended only
for the personal and confidential use of the recipient(s) named
above. This message may be an attorney-client communication and/or
work product and as such is privileged and confidential. If the
reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are
hereby notified that you have received this document in error and
that any review, dissemination, distribution, or copying of this
message is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail, and
delete the original message.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet




-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------