WebApp Sec mailing list archives
[Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: "Dinis Cruz" <dinis () ddplus net>
Date: Tue, 28 Mar 2006 22:30:24 -0500
Hello Eric (comments inline) Eric Swanson wrote:
Because I believe that Microsoft will never be as cooperative with .NET and the developer community as Sun is with Java, is there an opportunity for another company to step up to the plate on Microsoft's behalf?
There is definitely an opportunity here. At the moment I see two big players that could move into that space: Novell and IBM. Both have the resources to do it, and the motivation. The main questions are: - Do they want to buy that 'war' with Microsoft? - Do they 'believe' that this a worthwhile project and one that will help their bottom line? - Can they do it in an open and transparent way that attracts a strong community to it? (note that this community will be critical to the project, since I believe that no company in the world has the resources to it by itself) This could also be done by a very dynamic and well funded Open Source project (maybe by several governments or by companies/corporations which decide that they need to be more proactive in the protection of their critical resources and assets)
The .NET Framework is completely public, and, although Mono continues to have its workload increased by each Framework release, I think there may be an opportunity for a company or organization to step-in and take the reigns where Microsoft left off. How possible is it to "plug-in" to the CLR and make extensions to the core?
It is very doable. Note that there are already 4 different flavors of the CLR (Microsoft's .Net Framework, Rotor, Mono and DotGnu) See also the Postbuild commercial application (http://www.xenocode.com/Products/Postbuild/) which claims (I have not used it) to create Native x86 executables which allows .NET applications to run anywhere, with or without the Framework. This is something that I always wanted to do since it should (depending how it is done) allow the dramatic reduction of code (and dlls) that needs to be loaded in memory (the ultimate objective would be to create mini-VMs that were completely isolated from the host OS (or only having very specific interfaces / contact points)). Also while I was doing my 'Rooting the CLR' research, since Microsoft does provide the Symbols for core .Net Assemblies, there is a lot that can be done at that level. That said, this work would be greatly simplified if Microsoft released the source code of the entire .Net Framework :)
Perhaps a better project for OWASP.NET than security vulnerability detection utilities is a security plug-in to the CLR engine for byte code signature registration and verification?
Agree, the problem we have is resources (and lack of funding) Btw, at Owasp .Net we have now much more than just 'Security Vulnerability Detection Utilities' :) Apart from those utilities (namely ANSA and ANBS) we now also have: * Owasp Site Generator : Dynamic website creator to test Web Application Scanners and Web Application Firewalls (and a great tool for developers to learn about security vulnerabilities) * Owasp PenTest Reporter : Tool that aids in the process of documenting, reporting and tracking security vulnerabilities discovered during Penetration Testing engagements * DefApp (Proof of Concept): Web Application Firewall Another project that I would love to do is to work on a plug-in manager for Firefox which would execute all Firefox plug-ins in a managed and verifiable .Net sandbox (maybe built around mono (which was were this idea was suggested to me))
Would this task even be feasible? (Managed code only?) Is it even worth the effort, considering the possibility of further development from Microsoft?
I think that it would be worth the effort, the problem is 'who will fund this'. I don't think that this is a project that can be done on the backs of the odd spare times that its main developers would be able to allocate to it.
*Personally, I have never attempted to work below the top layers of .NET.
It's not that hard :)
But, it seems to me that plugging into the core would be a better option than some kind of wrapper sandbox, especially with regard to change control (top layers are likely to change more often and more drastically than lower layers).
Absolutely, and remember that ideally this tool would also remove 95% of that 'top layer' since it is not required. I am also not convinced of the robustness of the current implementation of CAS in .Net 1.1 and 2.0. There are too many security demands in too many places.
Should it be a task of the OWASP.Java team to work with Sun "Mustang"?
Maybe, but first you need to create that Owasp.Java team :) There are a lot of Java guys at Owasp, but they all are working on separate projects
Could there ever be a silver bullet sandbox for all executables, regardless of language?
No I don't think so. You will need to look at each different type of executables (mobile code, web apps, desktop apps, windows services, 'real-time apps', etc..) and create solutions for each one (there might be tons of code reuse, but the focus will be different). This means that you will need different versions of the Garbage Collector, different versions of the security manager, and probably even different versions of the Verifier. And the best justification for having these different versions of core components of the CLR is given by Microsoft's failed attempt with Vista to implement large parts of the OS on top of the .Net Framework. I don't know the details of this failure (since I was not there) but my belief is that the fundamental problem was that they were using the .Net CLR in ways it was never designed to (for example in time-sensitive apps or heavy graphics / memory manipulation). The problem was not that Microsoft tried to build Vista on top of managed code, the problem was that they did it on top of the .Net Framework.
Wouldn't this turn into just another evolution of anti-virus programs?
Well, anti-virus will probably, eventually, create such sandboxed environments, but at the moment I don't see a lot of movement from that side.
"Even if you just barely scratch the surface, you've made a visible change that everyone can see and, who knows, may even cause them to want to make a scratch of their own."
Perfect quote, and I have to say that all that I am trying to do here is to raise the awareness of these issues in the hope that somebody, somewhere will take them seriously and start the process of creating secure and trustworthy computing environments.
Thinking out loud,
So am I :)
--Eric Swanson
Dinis Cruz Owasp .Net Project www.owasp.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Eric Swanson (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- [Full-disclosure] Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L]4 Questions: Latest IE vulnerability, Firefox vs IE security,Uservs Admin risk profile,and browsers coded in 100% Managed Verifiable code ol (Mar 27)
- <Possible follow-ups>
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 29)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 27)